1 #include "qemu/osdep.h"
4 #include "exec/gdbstub.h"
5 #include "exec/helper-proto.h"
6 #include "qemu/host-utils.h"
7 #include "sysemu/arch_init.h"
8 #include "sysemu/sysemu.h"
9 #include "qemu/bitops.h"
10 #include "qemu/crc32c.h"
11 #include "exec/cpu_ldst.h"
13 #include <zlib.h> /* For crc32 */
14 #include "exec/semihost.h"
15 #include "sysemu/kvm.h"
17 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
19 #ifndef CONFIG_USER_ONLY
20 static bool get_phys_addr(CPUARMState *env, target_ulong address,
21 int access_type, ARMMMUIdx mmu_idx,
22 hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
23 target_ulong *page_size, uint32_t *fsr,
26 static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
27 int access_type, ARMMMUIdx mmu_idx,
28 hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
29 target_ulong *page_size_ptr, uint32_t *fsr,
32 /* Definitions for the PMCCNTR and PMCR registers */
38 static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
42 /* VFP data registers are always little-endian. */
43 nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
45 stfq_le_p(buf, env->vfp.regs[reg]);
48 if (arm_feature(env, ARM_FEATURE_NEON)) {
49 /* Aliases for Q regs. */
52 stfq_le_p(buf, env->vfp.regs[(reg - 32) * 2]);
53 stfq_le_p(buf + 8, env->vfp.regs[(reg - 32) * 2 + 1]);
57 switch (reg - nregs) {
58 case 0: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSID]); return 4;
59 case 1: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSCR]); return 4;
60 case 2: stl_p(buf, env->vfp.xregs[ARM_VFP_FPEXC]); return 4;
65 static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
69 nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
71 env->vfp.regs[reg] = ldfq_le_p(buf);
74 if (arm_feature(env, ARM_FEATURE_NEON)) {
77 env->vfp.regs[(reg - 32) * 2] = ldfq_le_p(buf);
78 env->vfp.regs[(reg - 32) * 2 + 1] = ldfq_le_p(buf + 8);
82 switch (reg - nregs) {
83 case 0: env->vfp.xregs[ARM_VFP_FPSID] = ldl_p(buf); return 4;
84 case 1: env->vfp.xregs[ARM_VFP_FPSCR] = ldl_p(buf); return 4;
85 case 2: env->vfp.xregs[ARM_VFP_FPEXC] = ldl_p(buf) & (1 << 30); return 4;
90 static int aarch64_fpu_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
94 /* 128 bit FP register */
95 stfq_le_p(buf, env->vfp.regs[reg * 2]);
96 stfq_le_p(buf + 8, env->vfp.regs[reg * 2 + 1]);
100 stl_p(buf, vfp_get_fpsr(env));
104 stl_p(buf, vfp_get_fpcr(env));
111 static int aarch64_fpu_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
115 /* 128 bit FP register */
116 env->vfp.regs[reg * 2] = ldfq_le_p(buf);
117 env->vfp.regs[reg * 2 + 1] = ldfq_le_p(buf + 8);
121 vfp_set_fpsr(env, ldl_p(buf));
125 vfp_set_fpcr(env, ldl_p(buf));
132 static uint64_t raw_read(CPUARMState *env, const ARMCPRegInfo *ri)
134 assert(ri->fieldoffset);
135 if (cpreg_field_is_64bit(ri)) {
136 return CPREG_FIELD64(env, ri);
138 return CPREG_FIELD32(env, ri);
142 static void raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
145 assert(ri->fieldoffset);
146 if (cpreg_field_is_64bit(ri)) {
147 CPREG_FIELD64(env, ri) = value;
149 CPREG_FIELD32(env, ri) = value;
153 static void *raw_ptr(CPUARMState *env, const ARMCPRegInfo *ri)
155 return (char *)env + ri->fieldoffset;
158 uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri)
160 /* Raw read of a coprocessor register (as needed for migration, etc). */
161 if (ri->type & ARM_CP_CONST) {
162 return ri->resetvalue;
163 } else if (ri->raw_readfn) {
164 return ri->raw_readfn(env, ri);
165 } else if (ri->readfn) {
166 return ri->readfn(env, ri);
168 return raw_read(env, ri);
172 static void write_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri,
175 /* Raw write of a coprocessor register (as needed for migration, etc).
176 * Note that constant registers are treated as write-ignored; the
177 * caller should check for success by whether a readback gives the
180 if (ri->type & ARM_CP_CONST) {
182 } else if (ri->raw_writefn) {
183 ri->raw_writefn(env, ri, v);
184 } else if (ri->writefn) {
185 ri->writefn(env, ri, v);
187 raw_write(env, ri, v);
191 static bool raw_accessors_invalid(const ARMCPRegInfo *ri)
193 /* Return true if the regdef would cause an assertion if you called
194 * read_raw_cp_reg() or write_raw_cp_reg() on it (ie if it is a
195 * program bug for it not to have the NO_RAW flag).
196 * NB that returning false here doesn't necessarily mean that calling
197 * read/write_raw_cp_reg() is safe, because we can't distinguish "has
198 * read/write access functions which are safe for raw use" from "has
199 * read/write access functions which have side effects but has forgotten
200 * to provide raw access functions".
201 * The tests here line up with the conditions in read/write_raw_cp_reg()
202 * and assertions in raw_read()/raw_write().
204 if ((ri->type & ARM_CP_CONST) ||
206 ((ri->raw_writefn || ri->writefn) && (ri->raw_readfn || ri->readfn))) {
212 bool write_cpustate_to_list(ARMCPU *cpu)
214 /* Write the coprocessor state from cpu->env to the (index,value) list. */
218 for (i = 0; i < cpu->cpreg_array_len; i++) {
219 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
220 const ARMCPRegInfo *ri;
222 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
227 if (ri->type & ARM_CP_NO_RAW) {
230 cpu->cpreg_values[i] = read_raw_cp_reg(&cpu->env, ri);
235 bool write_list_to_cpustate(ARMCPU *cpu)
240 for (i = 0; i < cpu->cpreg_array_len; i++) {
241 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
242 uint64_t v = cpu->cpreg_values[i];
243 const ARMCPRegInfo *ri;
245 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
250 if (ri->type & ARM_CP_NO_RAW) {
253 /* Write value and confirm it reads back as written
254 * (to catch read-only registers and partially read-only
255 * registers where the incoming migration value doesn't match)
257 write_raw_cp_reg(&cpu->env, ri, v);
258 if (read_raw_cp_reg(&cpu->env, ri) != v) {
265 static void add_cpreg_to_list(gpointer key, gpointer opaque)
267 ARMCPU *cpu = opaque;
269 const ARMCPRegInfo *ri;
271 regidx = *(uint32_t *)key;
272 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
274 if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
275 cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx);
276 /* The value array need not be initialized at this point */
277 cpu->cpreg_array_len++;
281 static void count_cpreg(gpointer key, gpointer opaque)
283 ARMCPU *cpu = opaque;
285 const ARMCPRegInfo *ri;
287 regidx = *(uint32_t *)key;
288 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
290 if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
291 cpu->cpreg_array_len++;
295 static gint cpreg_key_compare(gconstpointer a, gconstpointer b)
297 uint64_t aidx = cpreg_to_kvm_id(*(uint32_t *)a);
298 uint64_t bidx = cpreg_to_kvm_id(*(uint32_t *)b);
309 void init_cpreg_list(ARMCPU *cpu)
311 /* Initialise the cpreg_tuples[] array based on the cp_regs hash.
312 * Note that we require cpreg_tuples[] to be sorted by key ID.
317 keys = g_hash_table_get_keys(cpu->cp_regs);
318 keys = g_list_sort(keys, cpreg_key_compare);
320 cpu->cpreg_array_len = 0;
322 g_list_foreach(keys, count_cpreg, cpu);
324 arraylen = cpu->cpreg_array_len;
325 cpu->cpreg_indexes = g_new(uint64_t, arraylen);
326 cpu->cpreg_values = g_new(uint64_t, arraylen);
327 cpu->cpreg_vmstate_indexes = g_new(uint64_t, arraylen);
328 cpu->cpreg_vmstate_values = g_new(uint64_t, arraylen);
329 cpu->cpreg_vmstate_array_len = cpu->cpreg_array_len;
330 cpu->cpreg_array_len = 0;
332 g_list_foreach(keys, add_cpreg_to_list, cpu);
334 assert(cpu->cpreg_array_len == arraylen);
340 * Some registers are not accessible if EL3.NS=0 and EL3 is using AArch32 but
341 * they are accessible when EL3 is using AArch64 regardless of EL3.NS.
343 * access_el3_aa32ns: Used to check AArch32 register views.
344 * access_el3_aa32ns_aa64any: Used to check both AArch32/64 register views.
346 static CPAccessResult access_el3_aa32ns(CPUARMState *env,
347 const ARMCPRegInfo *ri,
350 bool secure = arm_is_secure_below_el3(env);
352 assert(!arm_el_is_aa64(env, 3));
354 return CP_ACCESS_TRAP_UNCATEGORIZED;
359 static CPAccessResult access_el3_aa32ns_aa64any(CPUARMState *env,
360 const ARMCPRegInfo *ri,
363 if (!arm_el_is_aa64(env, 3)) {
364 return access_el3_aa32ns(env, ri, isread);
369 /* Some secure-only AArch32 registers trap to EL3 if used from
370 * Secure EL1 (but are just ordinary UNDEF in other non-EL3 contexts).
371 * Note that an access from Secure EL1 can only happen if EL3 is AArch64.
372 * We assume that the .access field is set to PL1_RW.
374 static CPAccessResult access_trap_aa32s_el1(CPUARMState *env,
375 const ARMCPRegInfo *ri,
378 if (arm_current_el(env) == 3) {
381 if (arm_is_secure_below_el3(env)) {
382 return CP_ACCESS_TRAP_EL3;
384 /* This will be EL1 NS and EL2 NS, which just UNDEF */
385 return CP_ACCESS_TRAP_UNCATEGORIZED;
388 /* Check for traps to "powerdown debug" registers, which are controlled
391 static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,
394 int el = arm_current_el(env);
396 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TDOSA)
397 && !arm_is_secure_below_el3(env)) {
398 return CP_ACCESS_TRAP_EL2;
400 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDOSA)) {
401 return CP_ACCESS_TRAP_EL3;
406 /* Check for traps to "debug ROM" registers, which are controlled
407 * by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3.
409 static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,
412 int el = arm_current_el(env);
414 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TDRA)
415 && !arm_is_secure_below_el3(env)) {
416 return CP_ACCESS_TRAP_EL2;
418 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {
419 return CP_ACCESS_TRAP_EL3;
424 /* Check for traps to general debug registers, which are controlled
425 * by MDCR_EL2.TDA for EL2 and MDCR_EL3.TDA for EL3.
427 static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,
430 int el = arm_current_el(env);
432 if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TDA)
433 && !arm_is_secure_below_el3(env)) {
434 return CP_ACCESS_TRAP_EL2;
436 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {
437 return CP_ACCESS_TRAP_EL3;
442 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
444 ARMCPU *cpu = arm_env_get_cpu(env);
446 raw_write(env, ri, value);
447 tlb_flush(CPU(cpu), 1); /* Flush TLB as domain not tracked in TLB */
450 static void fcse_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
452 ARMCPU *cpu = arm_env_get_cpu(env);
454 if (raw_read(env, ri) != value) {
455 /* Unlike real hardware the qemu TLB uses virtual addresses,
456 * not modified virtual addresses, so this causes a TLB flush.
458 tlb_flush(CPU(cpu), 1);
459 raw_write(env, ri, value);
463 static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri,
466 ARMCPU *cpu = arm_env_get_cpu(env);
468 if (raw_read(env, ri) != value && !arm_feature(env, ARM_FEATURE_MPU)
469 && !extended_addresses_enabled(env)) {
470 /* For VMSA (when not using the LPAE long descriptor page table
471 * format) this register includes the ASID, so do a TLB flush.
472 * For PMSA it is purely a process ID and no action is needed.
474 tlb_flush(CPU(cpu), 1);
476 raw_write(env, ri, value);
479 static void tlbiall_write(CPUARMState *env, const ARMCPRegInfo *ri,
482 /* Invalidate all (TLBIALL) */
483 ARMCPU *cpu = arm_env_get_cpu(env);
485 tlb_flush(CPU(cpu), 1);
488 static void tlbimva_write(CPUARMState *env, const ARMCPRegInfo *ri,
491 /* Invalidate single TLB entry by MVA and ASID (TLBIMVA) */
492 ARMCPU *cpu = arm_env_get_cpu(env);
494 tlb_flush_page(CPU(cpu), value & TARGET_PAGE_MASK);
497 static void tlbiasid_write(CPUARMState *env, const ARMCPRegInfo *ri,
500 /* Invalidate by ASID (TLBIASID) */
501 ARMCPU *cpu = arm_env_get_cpu(env);
503 tlb_flush(CPU(cpu), value == 0);
506 static void tlbimvaa_write(CPUARMState *env, const ARMCPRegInfo *ri,
509 /* Invalidate single entry by MVA, all ASIDs (TLBIMVAA) */
510 ARMCPU *cpu = arm_env_get_cpu(env);
512 tlb_flush_page(CPU(cpu), value & TARGET_PAGE_MASK);
515 /* IS variants of TLB operations must affect all cores */
516 static void tlbiall_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
521 CPU_FOREACH(other_cs) {
522 tlb_flush(other_cs, 1);
526 static void tlbiasid_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
531 CPU_FOREACH(other_cs) {
532 tlb_flush(other_cs, value == 0);
536 static void tlbimva_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
541 CPU_FOREACH(other_cs) {
542 tlb_flush_page(other_cs, value & TARGET_PAGE_MASK);
546 static void tlbimvaa_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
551 CPU_FOREACH(other_cs) {
552 tlb_flush_page(other_cs, value & TARGET_PAGE_MASK);
556 static const ARMCPRegInfo cp_reginfo[] = {
557 /* Define the secure and non-secure FCSE identifier CP registers
558 * separately because there is no secure bank in V8 (no _EL3). This allows
559 * the secure register to be properly reset and migrated. There is also no
560 * v8 EL1 version of the register so the non-secure instance stands alone.
562 { .name = "FCSEIDR(NS)",
563 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
564 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
565 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_ns),
566 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
567 { .name = "FCSEIDR(S)",
568 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
569 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
570 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_s),
571 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
572 /* Define the secure and non-secure context identifier CP registers
573 * separately because there is no secure bank in V8 (no _EL3). This allows
574 * the secure register to be properly reset and migrated. In the
575 * non-secure case, the 32-bit register will have reset and migration
576 * disabled during registration as it is handled by the 64-bit instance.
578 { .name = "CONTEXTIDR_EL1", .state = ARM_CP_STATE_BOTH,
579 .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
580 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
581 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[1]),
582 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
583 { .name = "CONTEXTIDR(S)", .state = ARM_CP_STATE_AA32,
584 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
585 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
586 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s),
587 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
591 static const ARMCPRegInfo not_v8_cp_reginfo[] = {
592 /* NB: Some of these registers exist in v8 but with more precise
593 * definitions that don't use CP_ANY wildcards (mostly in v8_cp_reginfo[]).
595 /* MMU Domain access control / MPU write buffer control */
597 .cp = 15, .opc1 = CP_ANY, .crn = 3, .crm = CP_ANY, .opc2 = CP_ANY,
598 .access = PL1_RW, .resetvalue = 0,
599 .writefn = dacr_write, .raw_writefn = raw_write,
600 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
601 offsetoflow32(CPUARMState, cp15.dacr_ns) } },
602 /* ARMv7 allocates a range of implementation defined TLB LOCKDOWN regs.
603 * For v6 and v5, these mappings are overly broad.
605 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 0,
606 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
607 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 1,
608 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
609 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 4,
610 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
611 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 8,
612 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
613 /* Cache maintenance ops; some of this space may be overridden later. */
614 { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
615 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
616 .type = ARM_CP_NOP | ARM_CP_OVERRIDE },
620 static const ARMCPRegInfo not_v6_cp_reginfo[] = {
621 /* Not all pre-v6 cores implemented this WFI, so this is slightly
624 { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2,
625 .access = PL1_W, .type = ARM_CP_WFI },
629 static const ARMCPRegInfo not_v7_cp_reginfo[] = {
630 /* Standard v6 WFI (also used in some pre-v6 cores); not in v7 (which
631 * is UNPREDICTABLE; we choose to NOP as most implementations do).
633 { .name = "WFI_v6", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
634 .access = PL1_W, .type = ARM_CP_WFI },
635 /* L1 cache lockdown. Not architectural in v6 and earlier but in practice
636 * implemented in 926, 946, 1026, 1136, 1176 and 11MPCore. StrongARM and
637 * OMAPCP will override this space.
639 { .name = "DLOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 0,
640 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_data),
642 { .name = "ILOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 1,
643 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_insn),
645 /* v6 doesn't have the cache ID registers but Linux reads them anyway */
646 { .name = "DUMMY", .cp = 15, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = CP_ANY,
647 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
649 /* We don't implement pre-v7 debug but most CPUs had at least a DBGDIDR;
650 * implementing it as RAZ means the "debug architecture version" bits
651 * will read as a reserved value, which should cause Linux to not try
652 * to use the debug hardware.
654 { .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
655 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 },
656 /* MMU TLB control. Note that the wildcarding means we cover not just
657 * the unified TLB ops but also the dside/iside/inner-shareable variants.
659 { .name = "TLBIALL", .cp = 15, .crn = 8, .crm = CP_ANY,
660 .opc1 = CP_ANY, .opc2 = 0, .access = PL1_W, .writefn = tlbiall_write,
661 .type = ARM_CP_NO_RAW },
662 { .name = "TLBIMVA", .cp = 15, .crn = 8, .crm = CP_ANY,
663 .opc1 = CP_ANY, .opc2 = 1, .access = PL1_W, .writefn = tlbimva_write,
664 .type = ARM_CP_NO_RAW },
665 { .name = "TLBIASID", .cp = 15, .crn = 8, .crm = CP_ANY,
666 .opc1 = CP_ANY, .opc2 = 2, .access = PL1_W, .writefn = tlbiasid_write,
667 .type = ARM_CP_NO_RAW },
668 { .name = "TLBIMVAA", .cp = 15, .crn = 8, .crm = CP_ANY,
669 .opc1 = CP_ANY, .opc2 = 3, .access = PL1_W, .writefn = tlbimvaa_write,
670 .type = ARM_CP_NO_RAW },
671 { .name = "PRRR", .cp = 15, .crn = 10, .crm = 2,
672 .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP },
673 { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2,
674 .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP },
678 static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
683 /* In ARMv8 most bits of CPACR_EL1 are RES0. */
684 if (!arm_feature(env, ARM_FEATURE_V8)) {
685 /* ARMv7 defines bits for unimplemented coprocessors as RAZ/WI.
686 * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP.
687 * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell.
689 if (arm_feature(env, ARM_FEATURE_VFP)) {
690 /* VFP coprocessor: cp10 & cp11 [23:20] */
691 mask |= (1 << 31) | (1 << 30) | (0xf << 20);
693 if (!arm_feature(env, ARM_FEATURE_NEON)) {
694 /* ASEDIS [31] bit is RAO/WI */
698 /* VFPv3 and upwards with NEON implement 32 double precision
699 * registers (D0-D31).
701 if (!arm_feature(env, ARM_FEATURE_NEON) ||
702 !arm_feature(env, ARM_FEATURE_VFP3)) {
703 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */
709 env->cp15.cpacr_el1 = value;
712 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
715 if (arm_feature(env, ARM_FEATURE_V8)) {
716 /* Check if CPACR accesses are to be trapped to EL2 */
717 if (arm_current_el(env) == 1 &&
718 (env->cp15.cptr_el[2] & CPTR_TCPAC) && !arm_is_secure(env)) {
719 return CP_ACCESS_TRAP_EL2;
720 /* Check if CPACR accesses are to be trapped to EL3 */
721 } else if (arm_current_el(env) < 3 &&
722 (env->cp15.cptr_el[3] & CPTR_TCPAC)) {
723 return CP_ACCESS_TRAP_EL3;
730 static CPAccessResult cptr_access(CPUARMState *env, const ARMCPRegInfo *ri,
733 /* Check if CPTR accesses are set to trap to EL3 */
734 if (arm_current_el(env) == 2 && (env->cp15.cptr_el[3] & CPTR_TCPAC)) {
735 return CP_ACCESS_TRAP_EL3;
741 static const ARMCPRegInfo v6_cp_reginfo[] = {
742 /* prefetch by MVA in v6, NOP in v7 */
743 { .name = "MVA_prefetch",
744 .cp = 15, .crn = 7, .crm = 13, .opc1 = 0, .opc2 = 1,
745 .access = PL1_W, .type = ARM_CP_NOP },
746 /* We need to break the TB after ISB to execute self-modifying code
747 * correctly and also to take any pending interrupts immediately.
748 * So use arm_cp_write_ignore() function instead of ARM_CP_NOP flag.
750 { .name = "ISB", .cp = 15, .crn = 7, .crm = 5, .opc1 = 0, .opc2 = 4,
751 .access = PL0_W, .type = ARM_CP_NO_RAW, .writefn = arm_cp_write_ignore },
752 { .name = "DSB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 4,
753 .access = PL0_W, .type = ARM_CP_NOP },
754 { .name = "DMB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 5,
755 .access = PL0_W, .type = ARM_CP_NOP },
756 { .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 2,
758 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ifar_s),
759 offsetof(CPUARMState, cp15.ifar_ns) },
761 /* Watchpoint Fault Address Register : should actually only be present
762 * for 1136, 1176, 11MPCore.
764 { .name = "WFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
765 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, },
766 { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
767 .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
768 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
769 .resetvalue = 0, .writefn = cpacr_write },
773 static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
776 /* Performance monitor registers user accessibility is controlled
779 if (arm_current_el(env) == 0 && !env->cp15.c9_pmuserenr) {
780 return CP_ACCESS_TRAP;
785 #ifndef CONFIG_USER_ONLY
787 static inline bool arm_ccnt_enabled(CPUARMState *env)
789 /* This does not support checking PMCCFILTR_EL0 register */
791 if (!(env->cp15.c9_pmcr & PMCRE)) {
798 void pmccntr_sync(CPUARMState *env)
802 temp_ticks = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
803 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
805 if (env->cp15.c9_pmcr & PMCRD) {
806 /* Increment once every 64 processor clock cycles */
810 if (arm_ccnt_enabled(env)) {
811 env->cp15.c15_ccnt = temp_ticks - env->cp15.c15_ccnt;
815 static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
821 /* The counter has been reset */
822 env->cp15.c15_ccnt = 0;
825 /* only the DP, X, D and E bits are writable */
826 env->cp15.c9_pmcr &= ~0x39;
827 env->cp15.c9_pmcr |= (value & 0x39);
832 static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
834 uint64_t total_ticks;
836 if (!arm_ccnt_enabled(env)) {
837 /* Counter is disabled, do not change value */
838 return env->cp15.c15_ccnt;
841 total_ticks = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
842 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
844 if (env->cp15.c9_pmcr & PMCRD) {
845 /* Increment once every 64 processor clock cycles */
848 return total_ticks - env->cp15.c15_ccnt;
851 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
854 uint64_t total_ticks;
856 if (!arm_ccnt_enabled(env)) {
857 /* Counter is disabled, set the absolute value */
858 env->cp15.c15_ccnt = value;
862 total_ticks = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
863 ARM_CPU_FREQ, NANOSECONDS_PER_SECOND);
865 if (env->cp15.c9_pmcr & PMCRD) {
866 /* Increment once every 64 processor clock cycles */
869 env->cp15.c15_ccnt = total_ticks - value;
872 static void pmccntr_write32(CPUARMState *env, const ARMCPRegInfo *ri,
875 uint64_t cur_val = pmccntr_read(env, NULL);
877 pmccntr_write(env, ri, deposit64(cur_val, 0, 32, value));
880 #else /* CONFIG_USER_ONLY */
882 void pmccntr_sync(CPUARMState *env)
888 static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,
892 env->cp15.pmccfiltr_el0 = value & 0x7E000000;
896 static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
900 env->cp15.c9_pmcnten |= value;
903 static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
907 env->cp15.c9_pmcnten &= ~value;
910 static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
913 env->cp15.c9_pmovsr &= ~value;
916 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
919 env->cp15.c9_pmxevtyper = value & 0xff;
922 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
925 env->cp15.c9_pmuserenr = value & 1;
928 static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
931 /* We have no event counters so only the C bit can be changed */
933 env->cp15.c9_pminten |= value;
936 static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
940 env->cp15.c9_pminten &= ~value;
943 static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
946 /* Note that even though the AArch64 view of this register has bits
947 * [10:0] all RES0 we can only mask the bottom 5, to comply with the
948 * architectural requirements for bits which are RES0 only in some
949 * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
950 * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
952 raw_write(env, ri, value & ~0x1FULL);
955 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
957 /* We only mask off bits that are RES0 both for AArch64 and AArch32.
958 * For bits that vary between AArch32/64, code needs to check the
959 * current execution mode before directly using the feature bit.
961 uint32_t valid_mask = SCR_AARCH64_MASK | SCR_AARCH32_MASK;
963 if (!arm_feature(env, ARM_FEATURE_EL2)) {
964 valid_mask &= ~SCR_HCE;
966 /* On ARMv7, SMD (or SCD as it is called in v7) is only
967 * supported if EL2 exists. The bit is UNK/SBZP when
968 * EL2 is unavailable. In QEMU ARMv7, we force it to always zero
969 * when EL2 is unavailable.
970 * On ARMv8, this bit is always available.
972 if (arm_feature(env, ARM_FEATURE_V7) &&
973 !arm_feature(env, ARM_FEATURE_V8)) {
974 valid_mask &= ~SCR_SMD;
978 /* Clear all-context RES0 bits. */
980 raw_write(env, ri, value);
983 static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
985 ARMCPU *cpu = arm_env_get_cpu(env);
987 /* Acquire the CSSELR index from the bank corresponding to the CCSIDR
990 uint32_t index = A32_BANKED_REG_GET(env, csselr,
991 ri->secure & ARM_CP_SECSTATE_S);
993 return cpu->ccsidr[index];
996 static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
999 raw_write(env, ri, value & 0xf);
1002 static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
1004 CPUState *cs = ENV_GET_CPU(env);
1007 if (cs->interrupt_request & CPU_INTERRUPT_HARD) {
1010 if (cs->interrupt_request & CPU_INTERRUPT_FIQ) {
1013 /* External aborts are not possible in QEMU so A bit is always clear */
1017 static const ARMCPRegInfo v7_cp_reginfo[] = {
1018 /* the old v6 WFI, UNPREDICTABLE in v7 but we choose to NOP */
1019 { .name = "NOP", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
1020 .access = PL1_W, .type = ARM_CP_NOP },
1021 /* Performance monitors are implementation defined in v7,
1022 * but with an ARM recommended set of registers, which we
1023 * follow (although we don't actually implement any counters)
1025 * Performance registers fall into three categories:
1026 * (a) always UNDEF in PL0, RW in PL1 (PMINTENSET, PMINTENCLR)
1027 * (b) RO in PL0 (ie UNDEF on write), RW in PL1 (PMUSERENR)
1028 * (c) UNDEF in PL0 if PMUSERENR.EN==0, otherwise accessible (all others)
1029 * For the cases controlled by PMUSERENR we must set .access to PL0_RW
1030 * or PL0_RO as appropriate and then check PMUSERENR in the helper fn.
1032 { .name = "PMCNTENSET", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 1,
1033 .access = PL0_RW, .type = ARM_CP_ALIAS,
1034 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
1035 .writefn = pmcntenset_write,
1036 .accessfn = pmreg_access,
1037 .raw_writefn = raw_write },
1038 { .name = "PMCNTENSET_EL0", .state = ARM_CP_STATE_AA64,
1039 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 1,
1040 .access = PL0_RW, .accessfn = pmreg_access,
1041 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten), .resetvalue = 0,
1042 .writefn = pmcntenset_write, .raw_writefn = raw_write },
1043 { .name = "PMCNTENCLR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 2,
1045 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
1046 .accessfn = pmreg_access,
1047 .writefn = pmcntenclr_write,
1048 .type = ARM_CP_ALIAS },
1049 { .name = "PMCNTENCLR_EL0", .state = ARM_CP_STATE_AA64,
1050 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 2,
1051 .access = PL0_RW, .accessfn = pmreg_access,
1052 .type = ARM_CP_ALIAS,
1053 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten),
1054 .writefn = pmcntenclr_write },
1055 { .name = "PMOVSR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 3,
1056 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
1057 .accessfn = pmreg_access,
1058 .writefn = pmovsr_write,
1059 .raw_writefn = raw_write },
1060 { .name = "PMOVSCLR_EL0", .state = ARM_CP_STATE_AA64,
1061 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 3,
1062 .access = PL0_RW, .accessfn = pmreg_access,
1063 .type = ARM_CP_ALIAS,
1064 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
1065 .writefn = pmovsr_write,
1066 .raw_writefn = raw_write },
1067 /* Unimplemented so WI. */
1068 { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
1069 .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
1070 /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
1071 * We choose to RAZ/WI.
1073 { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
1074 .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
1075 .accessfn = pmreg_access },
1076 #ifndef CONFIG_USER_ONLY
1077 { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
1078 .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
1079 .readfn = pmccntr_read, .writefn = pmccntr_write32,
1080 .accessfn = pmreg_access },
1081 { .name = "PMCCNTR_EL0", .state = ARM_CP_STATE_AA64,
1082 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 0,
1083 .access = PL0_RW, .accessfn = pmreg_access,
1085 .readfn = pmccntr_read, .writefn = pmccntr_write, },
1087 { .name = "PMCCFILTR_EL0", .state = ARM_CP_STATE_AA64,
1088 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 15, .opc2 = 7,
1089 .writefn = pmccfiltr_write,
1090 .access = PL0_RW, .accessfn = pmreg_access,
1092 .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
1094 { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
1096 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
1097 .accessfn = pmreg_access, .writefn = pmxevtyper_write,
1098 .raw_writefn = raw_write },
1099 /* Unimplemented, RAZ/WI. */
1100 { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
1101 .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
1102 .accessfn = pmreg_access },
1103 { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0,
1104 .access = PL0_R | PL1_RW,
1105 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
1107 .writefn = pmuserenr_write, .raw_writefn = raw_write },
1108 { .name = "PMUSERENR_EL0", .state = ARM_CP_STATE_AA64,
1109 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 0,
1110 .access = PL0_R | PL1_RW, .type = ARM_CP_ALIAS,
1111 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
1113 .writefn = pmuserenr_write, .raw_writefn = raw_write },
1114 { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1,
1116 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
1118 .writefn = pmintenset_write, .raw_writefn = raw_write },
1119 { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2,
1120 .access = PL1_RW, .type = ARM_CP_ALIAS,
1121 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
1122 .writefn = pmintenclr_write, },
1123 { .name = "PMINTENCLR_EL1", .state = ARM_CP_STATE_AA64,
1124 .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 2,
1125 .access = PL1_RW, .type = ARM_CP_ALIAS,
1126 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
1127 .writefn = pmintenclr_write },
1128 { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
1129 .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0,
1130 .access = PL1_RW, .writefn = vbar_write,
1131 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s),
1132 offsetof(CPUARMState, cp15.vbar_ns) },
1134 { .name = "CCSIDR", .state = ARM_CP_STATE_BOTH,
1135 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 0,
1136 .access = PL1_R, .readfn = ccsidr_read, .type = ARM_CP_NO_RAW },
1137 { .name = "CSSELR", .state = ARM_CP_STATE_BOTH,
1138 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 2, .opc2 = 0,
1139 .access = PL1_RW, .writefn = csselr_write, .resetvalue = 0,
1140 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.csselr_s),
1141 offsetof(CPUARMState, cp15.csselr_ns) } },
1142 /* Auxiliary ID register: this actually has an IMPDEF value but for now
1143 * just RAZ for all cores:
1145 { .name = "AIDR", .state = ARM_CP_STATE_BOTH,
1146 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 7,
1147 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
1148 /* Auxiliary fault status registers: these also are IMPDEF, and we
1149 * choose to RAZ/WI for all cores.
1151 { .name = "AFSR0_EL1", .state = ARM_CP_STATE_BOTH,
1152 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 0,
1153 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
1154 { .name = "AFSR1_EL1", .state = ARM_CP_STATE_BOTH,
1155 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 1,
1156 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
1157 /* MAIR can just read-as-written because we don't implement caches
1158 * and so don't need to care about memory attributes.
1160 { .name = "MAIR_EL1", .state = ARM_CP_STATE_AA64,
1161 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0,
1162 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]),
1164 { .name = "MAIR_EL3", .state = ARM_CP_STATE_AA64,
1165 .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 2, .opc2 = 0,
1166 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[3]),
1168 /* For non-long-descriptor page tables these are PRRR and NMRR;
1169 * regardless they still act as reads-as-written for QEMU.
1171 /* MAIR0/1 are defined separately from their 64-bit counterpart which
1172 * allows them to assign the correct fieldoffset based on the endianness
1173 * handled in the field definitions.
1175 { .name = "MAIR0", .state = ARM_CP_STATE_AA32,
1176 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, .access = PL1_RW,
1177 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair0_s),
1178 offsetof(CPUARMState, cp15.mair0_ns) },
1179 .resetfn = arm_cp_reset_ignore },
1180 { .name = "MAIR1", .state = ARM_CP_STATE_AA32,
1181 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1, .access = PL1_RW,
1182 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair1_s),
1183 offsetof(CPUARMState, cp15.mair1_ns) },
1184 .resetfn = arm_cp_reset_ignore },
1185 { .name = "ISR_EL1", .state = ARM_CP_STATE_BOTH,
1186 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 0,
1187 .type = ARM_CP_NO_RAW, .access = PL1_R, .readfn = isr_read },
1188 /* 32 bit ITLB invalidates */
1189 { .name = "ITLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 0,
1190 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1191 { .name = "ITLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1,
1192 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1193 { .name = "ITLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 2,
1194 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1195 /* 32 bit DTLB invalidates */
1196 { .name = "DTLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 0,
1197 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1198 { .name = "DTLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 1,
1199 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1200 { .name = "DTLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 2,
1201 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1202 /* 32 bit TLB invalidates */
1203 { .name = "TLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
1204 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1205 { .name = "TLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
1206 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1207 { .name = "TLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
1208 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1209 { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
1210 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write },
1214 static const ARMCPRegInfo v7mp_cp_reginfo[] = {
1215 /* 32 bit TLB invalidates, Inner Shareable */
1216 { .name = "TLBIALLIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
1217 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_is_write },
1218 { .name = "TLBIMVAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
1219 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write },
1220 { .name = "TLBIASIDIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
1221 .type = ARM_CP_NO_RAW, .access = PL1_W,
1222 .writefn = tlbiasid_is_write },
1223 { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
1224 .type = ARM_CP_NO_RAW, .access = PL1_W,
1225 .writefn = tlbimvaa_is_write },
1229 static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1236 static CPAccessResult teehbr_access(CPUARMState *env, const ARMCPRegInfo *ri,
1239 if (arm_current_el(env) == 0 && (env->teecr & 1)) {
1240 return CP_ACCESS_TRAP;
1242 return CP_ACCESS_OK;
1245 static const ARMCPRegInfo t2ee_cp_reginfo[] = {
1246 { .name = "TEECR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 6, .opc2 = 0,
1247 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, teecr),
1249 .writefn = teecr_write },
1250 { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0,
1251 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr),
1252 .accessfn = teehbr_access, .resetvalue = 0 },
1256 static const ARMCPRegInfo v6k_cp_reginfo[] = {
1257 { .name = "TPIDR_EL0", .state = ARM_CP_STATE_AA64,
1258 .opc0 = 3, .opc1 = 3, .opc2 = 2, .crn = 13, .crm = 0,
1260 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[0]), .resetvalue = 0 },
1261 { .name = "TPIDRURW", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 2,
1263 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrurw_s),
1264 offsetoflow32(CPUARMState, cp15.tpidrurw_ns) },
1265 .resetfn = arm_cp_reset_ignore },
1266 { .name = "TPIDRRO_EL0", .state = ARM_CP_STATE_AA64,
1267 .opc0 = 3, .opc1 = 3, .opc2 = 3, .crn = 13, .crm = 0,
1268 .access = PL0_R|PL1_W,
1269 .fieldoffset = offsetof(CPUARMState, cp15.tpidrro_el[0]),
1271 { .name = "TPIDRURO", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 3,
1272 .access = PL0_R|PL1_W,
1273 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidruro_s),
1274 offsetoflow32(CPUARMState, cp15.tpidruro_ns) },
1275 .resetfn = arm_cp_reset_ignore },
1276 { .name = "TPIDR_EL1", .state = ARM_CP_STATE_AA64,
1277 .opc0 = 3, .opc1 = 0, .opc2 = 4, .crn = 13, .crm = 0,
1279 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[1]), .resetvalue = 0 },
1280 { .name = "TPIDRPRW", .opc1 = 0, .cp = 15, .crn = 13, .crm = 0, .opc2 = 4,
1282 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s),
1283 offsetoflow32(CPUARMState, cp15.tpidrprw_ns) },
1288 #ifndef CONFIG_USER_ONLY
1290 static CPAccessResult gt_cntfrq_access(CPUARMState *env, const ARMCPRegInfo *ri,
1293 /* CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero.
1294 * Writable only at the highest implemented exception level.
1296 int el = arm_current_el(env);
1300 if (!extract32(env->cp15.c14_cntkctl, 0, 2)) {
1301 return CP_ACCESS_TRAP;
1305 if (!isread && ri->state == ARM_CP_STATE_AA32 &&
1306 arm_is_secure_below_el3(env)) {
1307 /* Accesses from 32-bit Secure EL1 UNDEF (*not* trap to EL3!) */
1308 return CP_ACCESS_TRAP_UNCATEGORIZED;
1316 if (!isread && el < arm_highest_el(env)) {
1317 return CP_ACCESS_TRAP_UNCATEGORIZED;
1320 return CP_ACCESS_OK;
1323 static CPAccessResult gt_counter_access(CPUARMState *env, int timeridx,
1326 unsigned int cur_el = arm_current_el(env);
1327 bool secure = arm_is_secure(env);
1329 /* CNT[PV]CT: not visible from PL0 if ELO[PV]CTEN is zero */
1331 !extract32(env->cp15.c14_cntkctl, timeridx, 1)) {
1332 return CP_ACCESS_TRAP;
1335 if (arm_feature(env, ARM_FEATURE_EL2) &&
1336 timeridx == GTIMER_PHYS && !secure && cur_el < 2 &&
1337 !extract32(env->cp15.cnthctl_el2, 0, 1)) {
1338 return CP_ACCESS_TRAP_EL2;
1340 return CP_ACCESS_OK;
1343 static CPAccessResult gt_timer_access(CPUARMState *env, int timeridx,
1346 unsigned int cur_el = arm_current_el(env);
1347 bool secure = arm_is_secure(env);
1349 /* CNT[PV]_CVAL, CNT[PV]_CTL, CNT[PV]_TVAL: not visible from PL0 if
1350 * EL0[PV]TEN is zero.
1353 !extract32(env->cp15.c14_cntkctl, 9 - timeridx, 1)) {
1354 return CP_ACCESS_TRAP;
1357 if (arm_feature(env, ARM_FEATURE_EL2) &&
1358 timeridx == GTIMER_PHYS && !secure && cur_el < 2 &&
1359 !extract32(env->cp15.cnthctl_el2, 1, 1)) {
1360 return CP_ACCESS_TRAP_EL2;
1362 return CP_ACCESS_OK;
1365 static CPAccessResult gt_pct_access(CPUARMState *env,
1366 const ARMCPRegInfo *ri,
1369 return gt_counter_access(env, GTIMER_PHYS, isread);
1372 static CPAccessResult gt_vct_access(CPUARMState *env,
1373 const ARMCPRegInfo *ri,
1376 return gt_counter_access(env, GTIMER_VIRT, isread);
1379 static CPAccessResult gt_ptimer_access(CPUARMState *env, const ARMCPRegInfo *ri,
1382 return gt_timer_access(env, GTIMER_PHYS, isread);
1385 static CPAccessResult gt_vtimer_access(CPUARMState *env, const ARMCPRegInfo *ri,
1388 return gt_timer_access(env, GTIMER_VIRT, isread);
1391 static CPAccessResult gt_stimer_access(CPUARMState *env,
1392 const ARMCPRegInfo *ri,
1395 /* The AArch64 register view of the secure physical timer is
1396 * always accessible from EL3, and configurably accessible from
1399 switch (arm_current_el(env)) {
1401 if (!arm_is_secure(env)) {
1402 return CP_ACCESS_TRAP;
1404 if (!(env->cp15.scr_el3 & SCR_ST)) {
1405 return CP_ACCESS_TRAP_EL3;
1407 return CP_ACCESS_OK;
1410 return CP_ACCESS_TRAP;
1412 return CP_ACCESS_OK;
1414 g_assert_not_reached();
1418 static uint64_t gt_get_countervalue(CPUARMState *env)
1420 return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / GTIMER_SCALE;
1423 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
1425 ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
1428 /* Timer enabled: calculate and set current ISTATUS, irq, and
1429 * reset timer to when ISTATUS next has to change
1431 uint64_t offset = timeridx == GTIMER_VIRT ?
1432 cpu->env.cp15.cntvoff_el2 : 0;
1433 uint64_t count = gt_get_countervalue(&cpu->env);
1434 /* Note that this must be unsigned 64 bit arithmetic: */
1435 int istatus = count - offset >= gt->cval;
1438 gt->ctl = deposit32(gt->ctl, 2, 1, istatus);
1439 qemu_set_irq(cpu->gt_timer_outputs[timeridx],
1440 (istatus && !(gt->ctl & 2)));
1442 /* Next transition is when count rolls back over to zero */
1443 nexttick = UINT64_MAX;
1445 /* Next transition is when we hit cval */
1446 nexttick = gt->cval + offset;
1448 /* Note that the desired next expiry time might be beyond the
1449 * signed-64-bit range of a QEMUTimer -- in this case we just
1450 * set the timer for as far in the future as possible. When the
1451 * timer expires we will reset the timer for any remaining period.
1453 if (nexttick > INT64_MAX / GTIMER_SCALE) {
1454 nexttick = INT64_MAX / GTIMER_SCALE;
1456 timer_mod(cpu->gt_timer[timeridx], nexttick);
1458 /* Timer disabled: ISTATUS and timer output always clear */
1460 qemu_set_irq(cpu->gt_timer_outputs[timeridx], 0);
1461 timer_del(cpu->gt_timer[timeridx]);
1465 static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri,
1468 ARMCPU *cpu = arm_env_get_cpu(env);
1470 timer_del(cpu->gt_timer[timeridx]);
1473 static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
1475 return gt_get_countervalue(env);
1478 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
1480 return gt_get_countervalue(env) - env->cp15.cntvoff_el2;
1483 static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1487 env->cp15.c14_timer[timeridx].cval = value;
1488 gt_recalc_timer(arm_env_get_cpu(env), timeridx);
1491 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
1494 uint64_t offset = timeridx == GTIMER_VIRT ? env->cp15.cntvoff_el2 : 0;
1496 return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
1497 (gt_get_countervalue(env) - offset));
1500 static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1504 uint64_t offset = timeridx == GTIMER_VIRT ? env->cp15.cntvoff_el2 : 0;
1506 env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
1507 sextract64(value, 0, 32);
1508 gt_recalc_timer(arm_env_get_cpu(env), timeridx);
1511 static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1515 ARMCPU *cpu = arm_env_get_cpu(env);
1516 uint32_t oldval = env->cp15.c14_timer[timeridx].ctl;
1518 env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value);
1519 if ((oldval ^ value) & 1) {
1520 /* Enable toggled */
1521 gt_recalc_timer(cpu, timeridx);
1522 } else if ((oldval ^ value) & 2) {
1523 /* IMASK toggled: don't need to recalculate,
1524 * just set the interrupt line based on ISTATUS
1526 qemu_set_irq(cpu->gt_timer_outputs[timeridx],
1527 (oldval & 4) && !(value & 2));
1531 static void gt_phys_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1533 gt_timer_reset(env, ri, GTIMER_PHYS);
1536 static void gt_phys_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1539 gt_cval_write(env, ri, GTIMER_PHYS, value);
1542 static uint64_t gt_phys_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1544 return gt_tval_read(env, ri, GTIMER_PHYS);
1547 static void gt_phys_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1550 gt_tval_write(env, ri, GTIMER_PHYS, value);
1553 static void gt_phys_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1556 gt_ctl_write(env, ri, GTIMER_PHYS, value);
1559 static void gt_virt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1561 gt_timer_reset(env, ri, GTIMER_VIRT);
1564 static void gt_virt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1567 gt_cval_write(env, ri, GTIMER_VIRT, value);
1570 static uint64_t gt_virt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1572 return gt_tval_read(env, ri, GTIMER_VIRT);
1575 static void gt_virt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1578 gt_tval_write(env, ri, GTIMER_VIRT, value);
1581 static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1584 gt_ctl_write(env, ri, GTIMER_VIRT, value);
1587 static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
1590 ARMCPU *cpu = arm_env_get_cpu(env);
1592 raw_write(env, ri, value);
1593 gt_recalc_timer(cpu, GTIMER_VIRT);
1596 static void gt_hyp_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1598 gt_timer_reset(env, ri, GTIMER_HYP);
1601 static void gt_hyp_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1604 gt_cval_write(env, ri, GTIMER_HYP, value);
1607 static uint64_t gt_hyp_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1609 return gt_tval_read(env, ri, GTIMER_HYP);
1612 static void gt_hyp_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1615 gt_tval_write(env, ri, GTIMER_HYP, value);
1618 static void gt_hyp_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1621 gt_ctl_write(env, ri, GTIMER_HYP, value);
1624 static void gt_sec_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1626 gt_timer_reset(env, ri, GTIMER_SEC);
1629 static void gt_sec_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1632 gt_cval_write(env, ri, GTIMER_SEC, value);
1635 static uint64_t gt_sec_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1637 return gt_tval_read(env, ri, GTIMER_SEC);
1640 static void gt_sec_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1643 gt_tval_write(env, ri, GTIMER_SEC, value);
1646 static void gt_sec_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1649 gt_ctl_write(env, ri, GTIMER_SEC, value);
1652 void arm_gt_ptimer_cb(void *opaque)
1654 ARMCPU *cpu = opaque;
1656 gt_recalc_timer(cpu, GTIMER_PHYS);
1659 void arm_gt_vtimer_cb(void *opaque)
1661 ARMCPU *cpu = opaque;
1663 gt_recalc_timer(cpu, GTIMER_VIRT);
1666 void arm_gt_htimer_cb(void *opaque)
1668 ARMCPU *cpu = opaque;
1670 gt_recalc_timer(cpu, GTIMER_HYP);
1673 void arm_gt_stimer_cb(void *opaque)
1675 ARMCPU *cpu = opaque;
1677 gt_recalc_timer(cpu, GTIMER_SEC);
1680 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
1681 /* Note that CNTFRQ is purely reads-as-written for the benefit
1682 * of software; writing it doesn't actually change the timer frequency.
1683 * Our reset value matches the fixed frequency we implement the timer at.
1685 { .name = "CNTFRQ", .cp = 15, .crn = 14, .crm = 0, .opc1 = 0, .opc2 = 0,
1686 .type = ARM_CP_ALIAS,
1687 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
1688 .fieldoffset = offsetoflow32(CPUARMState, cp15.c14_cntfrq),
1690 { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64,
1691 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
1692 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
1693 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
1694 .resetvalue = (1000 * 1000 * 1000) / GTIMER_SCALE,
1696 /* overall control: mostly access permissions */
1697 { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH,
1698 .opc0 = 3, .opc1 = 0, .crn = 14, .crm = 1, .opc2 = 0,
1700 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntkctl),
1703 /* per-timer control */
1704 { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
1705 .secure = ARM_CP_SECSTATE_NS,
1706 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1707 .accessfn = gt_ptimer_access,
1708 .fieldoffset = offsetoflow32(CPUARMState,
1709 cp15.c14_timer[GTIMER_PHYS].ctl),
1710 .writefn = gt_phys_ctl_write, .raw_writefn = raw_write,
1712 { .name = "CNTP_CTL(S)",
1713 .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
1714 .secure = ARM_CP_SECSTATE_S,
1715 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1716 .accessfn = gt_ptimer_access,
1717 .fieldoffset = offsetoflow32(CPUARMState,
1718 cp15.c14_timer[GTIMER_SEC].ctl),
1719 .writefn = gt_sec_ctl_write, .raw_writefn = raw_write,
1721 { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64,
1722 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1,
1723 .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
1724 .accessfn = gt_ptimer_access,
1725 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
1727 .writefn = gt_phys_ctl_write, .raw_writefn = raw_write,
1729 { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1,
1730 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1731 .accessfn = gt_vtimer_access,
1732 .fieldoffset = offsetoflow32(CPUARMState,
1733 cp15.c14_timer[GTIMER_VIRT].ctl),
1734 .writefn = gt_virt_ctl_write, .raw_writefn = raw_write,
1736 { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
1737 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1,
1738 .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
1739 .accessfn = gt_vtimer_access,
1740 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
1742 .writefn = gt_virt_ctl_write, .raw_writefn = raw_write,
1744 /* TimerValue views: a 32 bit downcounting view of the underlying state */
1745 { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
1746 .secure = ARM_CP_SECSTATE_NS,
1747 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1748 .accessfn = gt_ptimer_access,
1749 .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
1751 { .name = "CNTP_TVAL(S)",
1752 .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
1753 .secure = ARM_CP_SECSTATE_S,
1754 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1755 .accessfn = gt_ptimer_access,
1756 .readfn = gt_sec_tval_read, .writefn = gt_sec_tval_write,
1758 { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64,
1759 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0,
1760 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1761 .accessfn = gt_ptimer_access, .resetfn = gt_phys_timer_reset,
1762 .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
1764 { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0,
1765 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1766 .accessfn = gt_vtimer_access,
1767 .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
1769 { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64,
1770 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0,
1771 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1772 .accessfn = gt_vtimer_access, .resetfn = gt_virt_timer_reset,
1773 .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
1775 /* The counter itself */
1776 { .name = "CNTPCT", .cp = 15, .crm = 14, .opc1 = 0,
1777 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
1778 .accessfn = gt_pct_access,
1779 .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore,
1781 { .name = "CNTPCT_EL0", .state = ARM_CP_STATE_AA64,
1782 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 1,
1783 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1784 .accessfn = gt_pct_access, .readfn = gt_cnt_read,
1786 { .name = "CNTVCT", .cp = 15, .crm = 14, .opc1 = 1,
1787 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
1788 .accessfn = gt_vct_access,
1789 .readfn = gt_virt_cnt_read, .resetfn = arm_cp_reset_ignore,
1791 { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64,
1792 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2,
1793 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1794 .accessfn = gt_vct_access, .readfn = gt_virt_cnt_read,
1796 /* Comparison value, indicating when the timer goes off */
1797 { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2,
1798 .secure = ARM_CP_SECSTATE_NS,
1799 .access = PL1_RW | PL0_R,
1800 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1801 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
1802 .accessfn = gt_ptimer_access,
1803 .writefn = gt_phys_cval_write, .raw_writefn = raw_write,
1805 { .name = "CNTP_CVAL(S)", .cp = 15, .crm = 14, .opc1 = 2,
1806 .secure = ARM_CP_SECSTATE_S,
1807 .access = PL1_RW | PL0_R,
1808 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1809 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
1810 .accessfn = gt_ptimer_access,
1811 .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
1813 { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64,
1814 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2,
1815 .access = PL1_RW | PL0_R,
1817 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
1818 .resetvalue = 0, .accessfn = gt_ptimer_access,
1819 .writefn = gt_phys_cval_write, .raw_writefn = raw_write,
1821 { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3,
1822 .access = PL1_RW | PL0_R,
1823 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1824 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
1825 .accessfn = gt_vtimer_access,
1826 .writefn = gt_virt_cval_write, .raw_writefn = raw_write,
1828 { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64,
1829 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2,
1830 .access = PL1_RW | PL0_R,
1832 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
1833 .resetvalue = 0, .accessfn = gt_vtimer_access,
1834 .writefn = gt_virt_cval_write, .raw_writefn = raw_write,
1836 /* Secure timer -- this is actually restricted to only EL3
1837 * and configurably Secure-EL1 via the accessfn.
1839 { .name = "CNTPS_TVAL_EL1", .state = ARM_CP_STATE_AA64,
1840 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 0,
1841 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW,
1842 .accessfn = gt_stimer_access,
1843 .readfn = gt_sec_tval_read,
1844 .writefn = gt_sec_tval_write,
1845 .resetfn = gt_sec_timer_reset,
1847 { .name = "CNTPS_CTL_EL1", .state = ARM_CP_STATE_AA64,
1848 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 1,
1849 .type = ARM_CP_IO, .access = PL1_RW,
1850 .accessfn = gt_stimer_access,
1851 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].ctl),
1853 .writefn = gt_sec_ctl_write, .raw_writefn = raw_write,
1855 { .name = "CNTPS_CVAL_EL1", .state = ARM_CP_STATE_AA64,
1856 .opc0 = 3, .opc1 = 7, .crn = 14, .crm = 2, .opc2 = 2,
1857 .type = ARM_CP_IO, .access = PL1_RW,
1858 .accessfn = gt_stimer_access,
1859 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
1860 .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
1866 /* In user-mode none of the generic timer registers are accessible,
1867 * and their implementation depends on QEMU_CLOCK_VIRTUAL and qdev gpio outputs,
1868 * so instead just don't register any of them.
1870 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
1876 static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1878 if (arm_feature(env, ARM_FEATURE_LPAE)) {
1879 raw_write(env, ri, value);
1880 } else if (arm_feature(env, ARM_FEATURE_V7)) {
1881 raw_write(env, ri, value & 0xfffff6ff);
1883 raw_write(env, ri, value & 0xfffff1ff);
1887 #ifndef CONFIG_USER_ONLY
1888 /* get_phys_addr() isn't present for user-mode-only targets */
1890 static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri,
1894 /* The ATS12NSO* operations must trap to EL3 if executed in
1895 * Secure EL1 (which can only happen if EL3 is AArch64).
1896 * They are simply UNDEF if executed from NS EL1.
1897 * They function normally from EL2 or EL3.
1899 if (arm_current_el(env) == 1) {
1900 if (arm_is_secure_below_el3(env)) {
1901 return CP_ACCESS_TRAP_UNCATEGORIZED_EL3;
1903 return CP_ACCESS_TRAP_UNCATEGORIZED;
1906 return CP_ACCESS_OK;
1909 static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
1910 int access_type, ARMMMUIdx mmu_idx)
1913 target_ulong page_size;
1918 MemTxAttrs attrs = {};
1919 ARMMMUFaultInfo fi = {};
1921 ret = get_phys_addr(env, value, access_type, mmu_idx,
1922 &phys_addr, &attrs, &prot, &page_size, &fsr, &fi);
1923 if (extended_addresses_enabled(env)) {
1924 /* fsr is a DFSR/IFSR value for the long descriptor
1925 * translation table format, but with WnR always clear.
1926 * Convert it to a 64-bit PAR.
1928 par64 = (1 << 11); /* LPAE bit always set */
1930 par64 |= phys_addr & ~0xfffULL;
1931 if (!attrs.secure) {
1932 par64 |= (1 << 9); /* NS */
1934 /* We don't set the ATTR or SH fields in the PAR. */
1937 par64 |= (fsr & 0x3f) << 1; /* FS */
1938 /* Note that S2WLK and FSTAGE are always zero, because we don't
1939 * implement virtualization and therefore there can't be a stage 2
1944 /* fsr is a DFSR/IFSR value for the short descriptor
1945 * translation table format (with WnR always clear).
1946 * Convert it to a 32-bit PAR.
1949 /* We do not set any attribute bits in the PAR */
1950 if (page_size == (1 << 24)
1951 && arm_feature(env, ARM_FEATURE_V7)) {
1952 par64 = (phys_addr & 0xff000000) | (1 << 1);
1954 par64 = phys_addr & 0xfffff000;
1956 if (!attrs.secure) {
1957 par64 |= (1 << 9); /* NS */
1960 par64 = ((fsr & (1 << 10)) >> 5) | ((fsr & (1 << 12)) >> 6) |
1961 ((fsr & 0xf) << 1) | 1;
1967 static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1969 int access_type = ri->opc2 & 1;
1972 int el = arm_current_el(env);
1973 bool secure = arm_is_secure_below_el3(env);
1975 switch (ri->opc2 & 6) {
1977 /* stage 1 current state PL1: ATS1CPR, ATS1CPW */
1980 mmu_idx = ARMMMUIdx_S1E3;
1983 mmu_idx = ARMMMUIdx_S1NSE1;
1986 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S1NSE1;
1989 g_assert_not_reached();
1993 /* stage 1 current state PL0: ATS1CUR, ATS1CUW */
1996 mmu_idx = ARMMMUIdx_S1SE0;
1999 mmu_idx = ARMMMUIdx_S1NSE0;
2002 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
2005 g_assert_not_reached();
2009 /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
2010 mmu_idx = ARMMMUIdx_S12NSE1;
2013 /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
2014 mmu_idx = ARMMMUIdx_S12NSE0;
2017 g_assert_not_reached();
2020 par64 = do_ats_write(env, value, access_type, mmu_idx);
2022 A32_BANKED_CURRENT_REG_SET(env, par, par64);
2025 static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
2028 int access_type = ri->opc2 & 1;
2031 par64 = do_ats_write(env, value, access_type, ARMMMUIdx_S2NS);
2033 A32_BANKED_CURRENT_REG_SET(env, par, par64);
2036 static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri,
2039 if (arm_current_el(env) == 3 && !(env->cp15.scr_el3 & SCR_NS)) {
2040 return CP_ACCESS_TRAP;
2042 return CP_ACCESS_OK;
2045 static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
2048 int access_type = ri->opc2 & 1;
2050 int secure = arm_is_secure_below_el3(env);
2052 switch (ri->opc2 & 6) {
2055 case 0: /* AT S1E1R, AT S1E1W */
2056 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S1NSE1;
2058 case 4: /* AT S1E2R, AT S1E2W */
2059 mmu_idx = ARMMMUIdx_S1E2;
2061 case 6: /* AT S1E3R, AT S1E3W */
2062 mmu_idx = ARMMMUIdx_S1E3;
2065 g_assert_not_reached();
2068 case 2: /* AT S1E0R, AT S1E0W */
2069 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
2071 case 4: /* AT S12E1R, AT S12E1W */
2072 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S12NSE1;
2074 case 6: /* AT S12E0R, AT S12E0W */
2075 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S12NSE0;
2078 g_assert_not_reached();
2081 env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx);
2085 static const ARMCPRegInfo vapa_cp_reginfo[] = {
2086 { .name = "PAR", .cp = 15, .crn = 7, .crm = 4, .opc1 = 0, .opc2 = 0,
2087 .access = PL1_RW, .resetvalue = 0,
2088 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.par_s),
2089 offsetoflow32(CPUARMState, cp15.par_ns) },
2090 .writefn = par_write },
2091 #ifndef CONFIG_USER_ONLY
2092 /* This underdecoding is safe because the reginfo is NO_RAW. */
2093 { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
2094 .access = PL1_W, .accessfn = ats_access,
2095 .writefn = ats_write, .type = ARM_CP_NO_RAW },
2100 /* Return basic MPU access permission bits. */
2101 static uint32_t simple_mpu_ap_bits(uint32_t val)
2108 for (i = 0; i < 16; i += 2) {
2109 ret |= (val >> i) & mask;
2115 /* Pad basic MPU access permission bits to extended format. */
2116 static uint32_t extended_mpu_ap_bits(uint32_t val)
2123 for (i = 0; i < 16; i += 2) {
2124 ret |= (val & mask) << i;
2130 static void pmsav5_data_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
2133 env->cp15.pmsav5_data_ap = extended_mpu_ap_bits(value);
2136 static uint64_t pmsav5_data_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
2138 return simple_mpu_ap_bits(env->cp15.pmsav5_data_ap);
2141 static void pmsav5_insn_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
2144 env->cp15.pmsav5_insn_ap = extended_mpu_ap_bits(value);
2147 static uint64_t pmsav5_insn_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
2149 return simple_mpu_ap_bits(env->cp15.pmsav5_insn_ap);
2152 static uint64_t pmsav7_read(CPUARMState *env, const ARMCPRegInfo *ri)
2154 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
2160 u32p += env->cp15.c6_rgnr;
2164 static void pmsav7_write(CPUARMState *env, const ARMCPRegInfo *ri,
2167 ARMCPU *cpu = arm_env_get_cpu(env);
2168 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
2174 u32p += env->cp15.c6_rgnr;
2175 tlb_flush(CPU(cpu), 1); /* Mappings may have changed - purge! */
2179 static void pmsav7_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2181 ARMCPU *cpu = arm_env_get_cpu(env);
2182 uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri);
2188 memset(u32p, 0, sizeof(*u32p) * cpu->pmsav7_dregion);
2191 static void pmsav7_rgnr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2194 ARMCPU *cpu = arm_env_get_cpu(env);
2195 uint32_t nrgs = cpu->pmsav7_dregion;
2197 if (value >= nrgs) {
2198 qemu_log_mask(LOG_GUEST_ERROR,
2199 "PMSAv7 RGNR write >= # supported regions, %" PRIu32
2200 " > %" PRIu32 "\n", (uint32_t)value, nrgs);
2204 raw_write(env, ri, value);
2207 static const ARMCPRegInfo pmsav7_cp_reginfo[] = {
2208 { .name = "DRBAR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 0,
2209 .access = PL1_RW, .type = ARM_CP_NO_RAW,
2210 .fieldoffset = offsetof(CPUARMState, pmsav7.drbar),
2211 .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset },
2212 { .name = "DRSR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 2,
2213 .access = PL1_RW, .type = ARM_CP_NO_RAW,
2214 .fieldoffset = offsetof(CPUARMState, pmsav7.drsr),
2215 .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset },
2216 { .name = "DRACR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 4,
2217 .access = PL1_RW, .type = ARM_CP_NO_RAW,
2218 .fieldoffset = offsetof(CPUARMState, pmsav7.dracr),
2219 .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset },
2220 { .name = "RGNR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 2, .opc2 = 0,
2222 .fieldoffset = offsetof(CPUARMState, cp15.c6_rgnr),
2223 .writefn = pmsav7_rgnr_write },
2227 static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
2228 { .name = "DATA_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
2229 .access = PL1_RW, .type = ARM_CP_ALIAS,
2230 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
2231 .readfn = pmsav5_data_ap_read, .writefn = pmsav5_data_ap_write, },
2232 { .name = "INSN_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
2233 .access = PL1_RW, .type = ARM_CP_ALIAS,
2234 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
2235 .readfn = pmsav5_insn_ap_read, .writefn = pmsav5_insn_ap_write, },
2236 { .name = "DATA_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 2,
2238 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
2240 { .name = "INSN_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 3,
2242 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
2244 { .name = "DCACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
2246 .fieldoffset = offsetof(CPUARMState, cp15.c2_data), .resetvalue = 0, },
2247 { .name = "ICACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 1,
2249 .fieldoffset = offsetof(CPUARMState, cp15.c2_insn), .resetvalue = 0, },
2250 /* Protection region base and size registers */
2251 { .name = "946_PRBS0", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0,
2252 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2253 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[0]) },
2254 { .name = "946_PRBS1", .cp = 15, .crn = 6, .crm = 1, .opc1 = 0,
2255 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2256 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[1]) },
2257 { .name = "946_PRBS2", .cp = 15, .crn = 6, .crm = 2, .opc1 = 0,
2258 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2259 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[2]) },
2260 { .name = "946_PRBS3", .cp = 15, .crn = 6, .crm = 3, .opc1 = 0,
2261 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2262 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[3]) },
2263 { .name = "946_PRBS4", .cp = 15, .crn = 6, .crm = 4, .opc1 = 0,
2264 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2265 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[4]) },
2266 { .name = "946_PRBS5", .cp = 15, .crn = 6, .crm = 5, .opc1 = 0,
2267 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2268 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[5]) },
2269 { .name = "946_PRBS6", .cp = 15, .crn = 6, .crm = 6, .opc1 = 0,
2270 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2271 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[6]) },
2272 { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0,
2273 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
2274 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) },
2278 static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
2281 TCR *tcr = raw_ptr(env, ri);
2282 int maskshift = extract32(value, 0, 3);
2284 if (!arm_feature(env, ARM_FEATURE_V8)) {
2285 if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
2286 /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
2287 * using Long-desciptor translation table format */
2288 value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
2289 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
2290 /* In an implementation that includes the Security Extensions
2291 * TTBCR has additional fields PD0 [4] and PD1 [5] for
2292 * Short-descriptor translation table format.
2294 value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
2300 /* Update the masks corresponding to the TCR bank being written
2301 * Note that we always calculate mask and base_mask, but
2302 * they are only used for short-descriptor tables (ie if EAE is 0);
2303 * for long-descriptor tables the TCR fields are used differently
2304 * and the mask and base_mask values are meaningless.
2306 tcr->raw_tcr = value;
2307 tcr->mask = ~(((uint32_t)0xffffffffu) >> maskshift);
2308 tcr->base_mask = ~((uint32_t)0x3fffu >> maskshift);
2311 static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2314 ARMCPU *cpu = arm_env_get_cpu(env);
2316 if (arm_feature(env, ARM_FEATURE_LPAE)) {
2317 /* With LPAE the TTBCR could result in a change of ASID
2318 * via the TTBCR.A1 bit, so do a TLB flush.
2320 tlb_flush(CPU(cpu), 1);
2322 vmsa_ttbcr_raw_write(env, ri, value);
2325 static void vmsa_ttbcr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
2327 TCR *tcr = raw_ptr(env, ri);
2329 /* Reset both the TCR as well as the masks corresponding to the bank of
2330 * the TCR being reset.
2334 tcr->base_mask = 0xffffc000u;
2337 static void vmsa_tcr_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2340 ARMCPU *cpu = arm_env_get_cpu(env);
2341 TCR *tcr = raw_ptr(env, ri);
2343 /* For AArch64 the A1 bit could result in a change of ASID, so TLB flush. */
2344 tlb_flush(CPU(cpu), 1);
2345 tcr->raw_tcr = value;
2348 static void vmsa_ttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2351 /* 64 bit accesses to the TTBRs can change the ASID and so we
2352 * must flush the TLB.
2354 if (cpreg_field_is_64bit(ri)) {
2355 ARMCPU *cpu = arm_env_get_cpu(env);
2357 tlb_flush(CPU(cpu), 1);
2359 raw_write(env, ri, value);
2362 static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2365 ARMCPU *cpu = arm_env_get_cpu(env);
2366 CPUState *cs = CPU(cpu);
2368 /* Accesses to VTTBR may change the VMID so we must flush the TLB. */
2369 if (raw_read(env, ri) != value) {
2370 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0,
2371 ARMMMUIdx_S2NS, -1);
2372 raw_write(env, ri, value);
2376 static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
2377 { .name = "DFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
2378 .access = PL1_RW, .type = ARM_CP_ALIAS,
2379 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dfsr_s),
2380 offsetoflow32(CPUARMState, cp15.dfsr_ns) }, },
2381 { .name = "IFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
2382 .access = PL1_RW, .resetvalue = 0,
2383 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ifsr_s),
2384 offsetoflow32(CPUARMState, cp15.ifsr_ns) } },
2385 { .name = "DFAR", .cp = 15, .opc1 = 0, .crn = 6, .crm = 0, .opc2 = 0,
2386 .access = PL1_RW, .resetvalue = 0,
2387 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.dfar_s),
2388 offsetof(CPUARMState, cp15.dfar_ns) } },
2389 { .name = "FAR_EL1", .state = ARM_CP_STATE_AA64,
2390 .opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0,
2391 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]),
2396 static const ARMCPRegInfo vmsa_cp_reginfo[] = {
2397 { .name = "ESR_EL1", .state = ARM_CP_STATE_AA64,
2398 .opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0,
2400 .fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue = 0, },
2401 { .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH,
2402 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,
2403 .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
2404 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
2405 offsetof(CPUARMState, cp15.ttbr0_ns) } },
2406 { .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,
2407 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,
2408 .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
2409 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
2410 offsetof(CPUARMState, cp15.ttbr1_ns) } },
2411 { .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,
2412 .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
2413 .access = PL1_RW, .writefn = vmsa_tcr_el1_write,
2414 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
2415 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) },
2416 { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
2417 .access = PL1_RW, .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write,
2418 .raw_writefn = vmsa_ttbcr_raw_write,
2419 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tcr_el[3]),
2420 offsetoflow32(CPUARMState, cp15.tcr_el[1])} },
2424 static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri,
2427 env->cp15.c15_ticonfig = value & 0xe7;
2428 /* The OS_TYPE bit in this register changes the reported CPUID! */
2429 env->cp15.c0_cpuid = (value & (1 << 5)) ?
2430 ARM_CPUID_TI915T : ARM_CPUID_TI925T;
2433 static void omap_threadid_write(CPUARMState *env, const ARMCPRegInfo *ri,
2436 env->cp15.c15_threadid = value & 0xffff;
2439 static void omap_wfi_write(CPUARMState *env, const ARMCPRegInfo *ri,
2442 /* Wait-for-interrupt (deprecated) */
2443 cpu_interrupt(CPU(arm_env_get_cpu(env)), CPU_INTERRUPT_HALT);
2446 static void omap_cachemaint_write(CPUARMState *env, const ARMCPRegInfo *ri,
2449 /* On OMAP there are registers indicating the max/min index of dcache lines
2450 * containing a dirty line; cache flush operations have to reset these.
2452 env->cp15.c15_i_max = 0x000;
2453 env->cp15.c15_i_min = 0xff0;
2456 static const ARMCPRegInfo omap_cp_reginfo[] = {
2457 { .name = "DFSR", .cp = 15, .crn = 5, .crm = CP_ANY,
2458 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_OVERRIDE,
2459 .fieldoffset = offsetoflow32(CPUARMState, cp15.esr_el[1]),
2461 { .name = "", .cp = 15, .crn = 15, .crm = 0, .opc1 = 0, .opc2 = 0,
2462 .access = PL1_RW, .type = ARM_CP_NOP },
2463 { .name = "TICONFIG", .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0,
2465 .fieldoffset = offsetof(CPUARMState, cp15.c15_ticonfig), .resetvalue = 0,
2466 .writefn = omap_ticonfig_write },
2467 { .name = "IMAX", .cp = 15, .crn = 15, .crm = 2, .opc1 = 0, .opc2 = 0,
2469 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_max), .resetvalue = 0, },
2470 { .name = "IMIN", .cp = 15, .crn = 15, .crm = 3, .opc1 = 0, .opc2 = 0,
2471 .access = PL1_RW, .resetvalue = 0xff0,
2472 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_min) },
2473 { .name = "THREADID", .cp = 15, .crn = 15, .crm = 4, .opc1 = 0, .opc2 = 0,
2475 .fieldoffset = offsetof(CPUARMState, cp15.c15_threadid), .resetvalue = 0,
2476 .writefn = omap_threadid_write },
2477 { .name = "TI925T_STATUS", .cp = 15, .crn = 15,
2478 .crm = 8, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
2479 .type = ARM_CP_NO_RAW,
2480 .readfn = arm_cp_read_zero, .writefn = omap_wfi_write, },
2481 /* TODO: Peripheral port remap register:
2482 * On OMAP2 mcr p15, 0, rn, c15, c2, 4 sets up the interrupt controller
2483 * base address at $rn & ~0xfff and map size of 0x200 << ($rn & 0xfff),
2486 { .name = "OMAP_CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
2487 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
2488 .type = ARM_CP_OVERRIDE | ARM_CP_NO_RAW,
2489 .writefn = omap_cachemaint_write },
2490 { .name = "C9", .cp = 15, .crn = 9,
2491 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW,
2492 .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 },
2496 static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri,
2499 env->cp15.c15_cpar = value & 0x3fff;
2502 static const ARMCPRegInfo xscale_cp_reginfo[] = {
2503 { .name = "XSCALE_CPAR",
2504 .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
2505 .fieldoffset = offsetof(CPUARMState, cp15.c15_cpar), .resetvalue = 0,
2506 .writefn = xscale_cpar_write, },
2507 { .name = "XSCALE_AUXCR",
2508 .cp = 15, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 1, .access = PL1_RW,
2509 .fieldoffset = offsetof(CPUARMState, cp15.c1_xscaleauxcr),
2511 /* XScale specific cache-lockdown: since we have no cache we NOP these
2512 * and hope the guest does not really rely on cache behaviour.
2514 { .name = "XSCALE_LOCK_ICACHE_LINE",
2515 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
2516 .access = PL1_W, .type = ARM_CP_NOP },
2517 { .name = "XSCALE_UNLOCK_ICACHE",
2518 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
2519 .access = PL1_W, .type = ARM_CP_NOP },
2520 { .name = "XSCALE_DCACHE_LOCK",
2521 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 0,
2522 .access = PL1_RW, .type = ARM_CP_NOP },
2523 { .name = "XSCALE_UNLOCK_DCACHE",
2524 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1,
2525 .access = PL1_W, .type = ARM_CP_NOP },
2529 static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
2530 /* RAZ/WI the whole crn=15 space, when we don't have a more specific
2531 * implementation of this implementation-defined space.
2532 * Ideally this should eventually disappear in favour of actually
2533 * implementing the correct behaviour for all cores.
2535 { .name = "C15_IMPDEF", .cp = 15, .crn = 15,
2536 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
2538 .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE,
2543 static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
2544 /* Cache status: RAZ because we have no cache so it's always clean */
2545 { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6,
2546 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2551 static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
2552 /* We never have a a block transfer operation in progress */
2553 { .name = "BXSR", .cp = 15, .crn = 7, .crm = 12, .opc1 = 0, .opc2 = 4,
2554 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2556 /* The cache ops themselves: these all NOP for QEMU */
2557 { .name = "IICR", .cp = 15, .crm = 5, .opc1 = 0,
2558 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2559 { .name = "IDCR", .cp = 15, .crm = 6, .opc1 = 0,
2560 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2561 { .name = "CDCR", .cp = 15, .crm = 12, .opc1 = 0,
2562 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2563 { .name = "PIR", .cp = 15, .crm = 12, .opc1 = 1,
2564 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2565 { .name = "PDR", .cp = 15, .crm = 12, .opc1 = 2,
2566 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2567 { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0,
2568 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2572 static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
2573 /* The cache test-and-clean instructions always return (1 << 30)
2574 * to indicate that there are no dirty cache lines.
2576 { .name = "TC_DCACHE", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 3,
2577 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2578 .resetvalue = (1 << 30) },
2579 { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3,
2580 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2581 .resetvalue = (1 << 30) },
2585 static const ARMCPRegInfo strongarm_cp_reginfo[] = {
2586 /* Ignore ReadBuffer accesses */
2587 { .name = "C9_READBUFFER", .cp = 15, .crn = 9,
2588 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
2589 .access = PL1_RW, .resetvalue = 0,
2590 .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW },
2594 static uint64_t midr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2596 ARMCPU *cpu = arm_env_get_cpu(env);
2597 unsigned int cur_el = arm_current_el(env);
2598 bool secure = arm_is_secure(env);
2600 if (arm_feature(&cpu->env, ARM_FEATURE_EL2) && !secure && cur_el == 1) {
2601 return env->cp15.vpidr_el2;
2603 return raw_read(env, ri);
2606 static uint64_t mpidr_read_val(CPUARMState *env)
2608 ARMCPU *cpu = ARM_CPU(arm_env_get_cpu(env));
2609 uint64_t mpidr = cpu->mp_affinity;
2611 if (arm_feature(env, ARM_FEATURE_V7MP)) {
2612 mpidr |= (1U << 31);
2613 /* Cores which are uniprocessor (non-coherent)
2614 * but still implement the MP extensions set
2615 * bit 30. (For instance, Cortex-R5).
2617 if (cpu->mp_is_up) {
2618 mpidr |= (1u << 30);
2624 static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2626 unsigned int cur_el = arm_current_el(env);
2627 bool secure = arm_is_secure(env);
2629 if (arm_feature(env, ARM_FEATURE_EL2) && !secure && cur_el == 1) {
2630 return env->cp15.vmpidr_el2;
2632 return mpidr_read_val(env);
2635 static const ARMCPRegInfo mpidr_cp_reginfo[] = {
2636 { .name = "MPIDR", .state = ARM_CP_STATE_BOTH,
2637 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
2638 .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
2642 static const ARMCPRegInfo lpae_cp_reginfo[] = {
2644 { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH,
2645 .opc0 = 3, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 0,
2646 .access = PL1_RW, .type = ARM_CP_CONST,
2648 /* AMAIR1 is mapped to AMAIR_EL1[63:32] */
2649 { .name = "AMAIR1", .cp = 15, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 1,
2650 .access = PL1_RW, .type = ARM_CP_CONST,
2652 { .name = "PAR", .cp = 15, .crm = 7, .opc1 = 0,
2653 .access = PL1_RW, .type = ARM_CP_64BIT, .resetvalue = 0,
2654 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.par_s),
2655 offsetof(CPUARMState, cp15.par_ns)} },
2656 { .name = "TTBR0", .cp = 15, .crm = 2, .opc1 = 0,
2657 .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
2658 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
2659 offsetof(CPUARMState, cp15.ttbr0_ns) },
2660 .writefn = vmsa_ttbr_write, },
2661 { .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,
2662 .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
2663 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
2664 offsetof(CPUARMState, cp15.ttbr1_ns) },
2665 .writefn = vmsa_ttbr_write, },
2669 static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2671 return vfp_get_fpcr(env);
2674 static void aa64_fpcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2677 vfp_set_fpcr(env, value);
2680 static uint64_t aa64_fpsr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2682 return vfp_get_fpsr(env);
2685 static void aa64_fpsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2688 vfp_set_fpsr(env, value);
2691 static CPAccessResult aa64_daif_access(CPUARMState *env, const ARMCPRegInfo *ri,
2694 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UMA)) {
2695 return CP_ACCESS_TRAP;
2697 return CP_ACCESS_OK;
2700 static void aa64_daif_write(CPUARMState *env, const ARMCPRegInfo *ri,
2703 env->daif = value & PSTATE_DAIF;
2706 static CPAccessResult aa64_cacheop_access(CPUARMState *env,
2707 const ARMCPRegInfo *ri,
2710 /* Cache invalidate/clean: NOP, but EL0 must UNDEF unless
2711 * SCTLR_EL1.UCI is set.
2713 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UCI)) {
2714 return CP_ACCESS_TRAP;
2716 return CP_ACCESS_OK;
2719 /* See: D4.7.2 TLB maintenance requirements and the TLB maintenance instructions
2720 * Page D4-1736 (DDI0487A.b)
2723 static void tlbi_aa64_vmalle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2726 ARMCPU *cpu = arm_env_get_cpu(env);
2727 CPUState *cs = CPU(cpu);
2729 if (arm_is_secure_below_el3(env)) {
2730 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2732 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0, -1);
2736 static void tlbi_aa64_vmalle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2739 bool sec = arm_is_secure_below_el3(env);
2742 CPU_FOREACH(other_cs) {
2744 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2746 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S12NSE1,
2747 ARMMMUIdx_S12NSE0, -1);
2752 static void tlbi_aa64_alle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2755 /* Note that the 'ALL' scope must invalidate both stage 1 and
2756 * stage 2 translations, whereas most other scopes only invalidate
2757 * stage 1 translations.
2759 ARMCPU *cpu = arm_env_get_cpu(env);
2760 CPUState *cs = CPU(cpu);
2762 if (arm_is_secure_below_el3(env)) {
2763 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2765 if (arm_feature(env, ARM_FEATURE_EL2)) {
2766 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0,
2767 ARMMMUIdx_S2NS, -1);
2769 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S12NSE1, ARMMMUIdx_S12NSE0, -1);
2774 static void tlbi_aa64_alle2_write(CPUARMState *env, const ARMCPRegInfo *ri,
2777 ARMCPU *cpu = arm_env_get_cpu(env);
2778 CPUState *cs = CPU(cpu);
2780 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1E2, -1);
2783 static void tlbi_aa64_alle3_write(CPUARMState *env, const ARMCPRegInfo *ri,
2786 ARMCPU *cpu = arm_env_get_cpu(env);
2787 CPUState *cs = CPU(cpu);
2789 tlb_flush_by_mmuidx(cs, ARMMMUIdx_S1E3, -1);
2792 static void tlbi_aa64_alle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2795 /* Note that the 'ALL' scope must invalidate both stage 1 and
2796 * stage 2 translations, whereas most other scopes only invalidate
2797 * stage 1 translations.
2799 bool sec = arm_is_secure_below_el3(env);
2800 bool has_el2 = arm_feature(env, ARM_FEATURE_EL2);
2803 CPU_FOREACH(other_cs) {
2805 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1SE1, ARMMMUIdx_S1SE0, -1);
2806 } else if (has_el2) {
2807 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S12NSE1,
2808 ARMMMUIdx_S12NSE0, ARMMMUIdx_S2NS, -1);
2810 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S12NSE1,
2811 ARMMMUIdx_S12NSE0, -1);
2816 static void tlbi_aa64_alle2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2821 CPU_FOREACH(other_cs) {
2822 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1E2, -1);
2826 static void tlbi_aa64_alle3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2831 CPU_FOREACH(other_cs) {
2832 tlb_flush_by_mmuidx(other_cs, ARMMMUIdx_S1E3, -1);
2836 static void tlbi_aa64_vae1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2839 /* Invalidate by VA, EL1&0 (AArch64 version).
2840 * Currently handles all of VAE1, VAAE1, VAALE1 and VALE1,
2841 * since we don't support flush-for-specific-ASID-only or
2842 * flush-last-level-only.
2844 ARMCPU *cpu = arm_env_get_cpu(env);
2845 CPUState *cs = CPU(cpu);
2846 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2848 if (arm_is_secure_below_el3(env)) {
2849 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S1SE1,
2850 ARMMMUIdx_S1SE0, -1);
2852 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S12NSE1,
2853 ARMMMUIdx_S12NSE0, -1);
2857 static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri,
2860 /* Invalidate by VA, EL2
2861 * Currently handles both VAE2 and VALE2, since we don't support
2862 * flush-last-level-only.
2864 ARMCPU *cpu = arm_env_get_cpu(env);
2865 CPUState *cs = CPU(cpu);
2866 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2868 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S1E2, -1);
2871 static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri,
2874 /* Invalidate by VA, EL3
2875 * Currently handles both VAE3 and VALE3, since we don't support
2876 * flush-last-level-only.
2878 ARMCPU *cpu = arm_env_get_cpu(env);
2879 CPUState *cs = CPU(cpu);
2880 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2882 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S1E3, -1);
2885 static void tlbi_aa64_vae1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2888 bool sec = arm_is_secure_below_el3(env);
2890 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2892 CPU_FOREACH(other_cs) {
2894 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S1SE1,
2895 ARMMMUIdx_S1SE0, -1);
2897 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S12NSE1,
2898 ARMMMUIdx_S12NSE0, -1);
2903 static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2907 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2909 CPU_FOREACH(other_cs) {
2910 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S1E2, -1);
2914 static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2918 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2920 CPU_FOREACH(other_cs) {
2921 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S1E3, -1);
2925 static void tlbi_aa64_ipas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri,
2928 /* Invalidate by IPA. This has to invalidate any structures that
2929 * contain only stage 2 translation information, but does not need
2930 * to apply to structures that contain combined stage 1 and stage 2
2931 * translation information.
2932 * This must NOP if EL2 isn't implemented or SCR_EL3.NS is zero.
2934 ARMCPU *cpu = arm_env_get_cpu(env);
2935 CPUState *cs = CPU(cpu);
2938 if (!arm_feature(env, ARM_FEATURE_EL2) || !(env->cp15.scr_el3 & SCR_NS)) {
2942 pageaddr = sextract64(value << 12, 0, 48);
2944 tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdx_S2NS, -1);
2947 static void tlbi_aa64_ipas2e1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2953 if (!arm_feature(env, ARM_FEATURE_EL2) || !(env->cp15.scr_el3 & SCR_NS)) {
2957 pageaddr = sextract64(value << 12, 0, 48);
2959 CPU_FOREACH(other_cs) {
2960 tlb_flush_page_by_mmuidx(other_cs, pageaddr, ARMMMUIdx_S2NS, -1);
2964 static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri,
2967 /* We don't implement EL2, so the only control on DC ZVA is the
2968 * bit in the SCTLR which can prohibit access for EL0.
2970 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_DZE)) {
2971 return CP_ACCESS_TRAP;
2973 return CP_ACCESS_OK;
2976 static uint64_t aa64_dczid_read(CPUARMState *env, const ARMCPRegInfo *ri)
2978 ARMCPU *cpu = arm_env_get_cpu(env);
2979 int dzp_bit = 1 << 4;
2981 /* DZP indicates whether DC ZVA access is allowed */
2982 if (aa64_zva_access(env, NULL, false) == CP_ACCESS_OK) {
2985 return cpu->dcz_blocksize | dzp_bit;
2988 static CPAccessResult sp_el0_access(CPUARMState *env, const ARMCPRegInfo *ri,
2991 if (!(env->pstate & PSTATE_SP)) {
2992 /* Access to SP_EL0 is undefined if it's being used as
2993 * the stack pointer.
2995 return CP_ACCESS_TRAP_UNCATEGORIZED;
2997 return CP_ACCESS_OK;
3000 static uint64_t spsel_read(CPUARMState *env, const ARMCPRegInfo *ri)
3002 return env->pstate & PSTATE_SP;
3005 static void spsel_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
3007 update_spsel(env, val);
3010 static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri,
3013 ARMCPU *cpu = arm_env_get_cpu(env);
3015 if (raw_read(env, ri) == value) {
3016 /* Skip the TLB flush if nothing actually changed; Linux likes
3017 * to do a lot of pointless SCTLR writes.
3022 raw_write(env, ri, value);
3023 /* ??? Lots of these bits are not implemented. */
3024 /* This may enable/disable the MMU, so do a TLB flush. */
3025 tlb_flush(CPU(cpu), 1);
3028 static CPAccessResult fpexc32_access(CPUARMState *env, const ARMCPRegInfo *ri,
3031 if ((env->cp15.cptr_el[2] & CPTR_TFP) && arm_current_el(env) == 2) {
3032 return CP_ACCESS_TRAP_FP_EL2;
3034 if (env->cp15.cptr_el[3] & CPTR_TFP) {
3035 return CP_ACCESS_TRAP_FP_EL3;
3037 return CP_ACCESS_OK;
3040 static const ARMCPRegInfo v8_cp_reginfo[] = {
3041 /* Minimal set of EL0-visible registers. This will need to be expanded
3042 * significantly for system emulation of AArch64 CPUs.
3044 { .name = "NZCV", .state = ARM_CP_STATE_AA64,
3045 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 2,
3046 .access = PL0_RW, .type = ARM_CP_NZCV },
3047 { .name = "DAIF", .state = ARM_CP_STATE_AA64,
3048 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 2,
3049 .type = ARM_CP_NO_RAW,
3050 .access = PL0_RW, .accessfn = aa64_daif_access,
3051 .fieldoffset = offsetof(CPUARMState, daif),
3052 .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
3053 { .name = "FPCR", .state = ARM_CP_STATE_AA64,
3054 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
3055 .access = PL0_RW, .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
3056 { .name = "FPSR", .state = ARM_CP_STATE_AA64,
3057 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
3058 .access = PL0_RW, .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
3059 { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
3060 .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
3061 .access = PL0_R, .type = ARM_CP_NO_RAW,
3062 .readfn = aa64_dczid_read },
3063 { .name = "DC_ZVA", .state = ARM_CP_STATE_AA64,
3064 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 1,
3065 .access = PL0_W, .type = ARM_CP_DC_ZVA,
3066 #ifndef CONFIG_USER_ONLY
3067 /* Avoid overhead of an access check that always passes in user-mode */
3068 .accessfn = aa64_zva_access,
3071 { .name = "CURRENTEL", .state = ARM_CP_STATE_AA64,
3072 .opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2,
3073 .access = PL1_R, .type = ARM_CP_CURRENTEL },
3074 /* Cache ops: all NOPs since we don't emulate caches */
3075 { .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,
3076 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
3077 .access = PL1_W, .type = ARM_CP_NOP },
3078 { .name = "IC_IALLU", .state = ARM_CP_STATE_AA64,
3079 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
3080 .access = PL1_W, .type = ARM_CP_NOP },
3081 { .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,
3082 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,
3083 .access = PL0_W, .type = ARM_CP_NOP,
3084 .accessfn = aa64_cacheop_access },
3085 { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64,
3086 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
3087 .access = PL1_W, .type = ARM_CP_NOP },
3088 { .name = "DC_ISW", .state = ARM_CP_STATE_AA64,
3089 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
3090 .access = PL1_W, .type = ARM_CP_NOP },
3091 { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64,
3092 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1,
3093 .access = PL0_W, .type = ARM_CP_NOP,
3094 .accessfn = aa64_cacheop_access },
3095 { .name = "DC_CSW", .state = ARM_CP_STATE_AA64,
3096 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
3097 .access = PL1_W, .type = ARM_CP_NOP },
3098 { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64,
3099 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1,
3100 .access = PL0_W, .type = ARM_CP_NOP,
3101 .accessfn = aa64_cacheop_access },
3102 { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64,
3103 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1,
3104 .access = PL0_W, .type = ARM_CP_NOP,
3105 .accessfn = aa64_cacheop_access },
3106 { .name = "DC_CISW", .state = ARM_CP_STATE_AA64,
3107 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
3108 .access = PL1_W, .type = ARM_CP_NOP },
3109 /* TLBI operations */
3110 { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64,
3111 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
3112 .access = PL1_W, .type = ARM_CP_NO_RAW,
3113 .writefn = tlbi_aa64_vmalle1is_write },
3114 { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64,
3115 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
3116 .access = PL1_W, .type = ARM_CP_NO_RAW,
3117 .writefn = tlbi_aa64_vae1is_write },
3118 { .name = "TLBI_ASIDE1IS", .state = ARM_CP_STATE_AA64,
3119 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
3120 .access = PL1_W, .type = ARM_CP_NO_RAW,
3121 .writefn = tlbi_aa64_vmalle1is_write },
3122 { .name = "TLBI_VAAE1IS", .state = ARM_CP_STATE_AA64,
3123 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
3124 .access = PL1_W, .type = ARM_CP_NO_RAW,
3125 .writefn = tlbi_aa64_vae1is_write },
3126 { .name = "TLBI_VALE1IS", .state = ARM_CP_STATE_AA64,
3127 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
3128 .access = PL1_W, .type = ARM_CP_NO_RAW,
3129 .writefn = tlbi_aa64_vae1is_write },
3130 { .name = "TLBI_VAALE1IS", .state = ARM_CP_STATE_AA64,
3131 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7,
3132 .access = PL1_W, .type = ARM_CP_NO_RAW,
3133 .writefn = tlbi_aa64_vae1is_write },
3134 { .name = "TLBI_VMALLE1", .state = ARM_CP_STATE_AA64,
3135 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
3136 .access = PL1_W, .type = ARM_CP_NO_RAW,
3137 .writefn = tlbi_aa64_vmalle1_write },
3138 { .name = "TLBI_VAE1", .state = ARM_CP_STATE_AA64,
3139 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
3140 .access = PL1_W, .type = ARM_CP_NO_RAW,
3141 .writefn = tlbi_aa64_vae1_write },
3142 { .name = "TLBI_ASIDE1", .state = ARM_CP_STATE_AA64,
3143 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
3144 .access = PL1_W, .type = ARM_CP_NO_RAW,
3145 .writefn = tlbi_aa64_vmalle1_write },
3146 { .name = "TLBI_VAAE1", .state = ARM_CP_STATE_AA64,
3147 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
3148 .access = PL1_W, .type = ARM_CP_NO_RAW,
3149 .writefn = tlbi_aa64_vae1_write },
3150 { .name = "TLBI_VALE1", .state = ARM_CP_STATE_AA64,
3151 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5,
3152 .access = PL1_W, .type = ARM_CP_NO_RAW,
3153 .writefn = tlbi_aa64_vae1_write },
3154 { .name = "TLBI_VAALE1", .state = ARM_CP_STATE_AA64,
3155 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7,
3156 .access = PL1_W, .type = ARM_CP_NO_RAW,
3157 .writefn = tlbi_aa64_vae1_write },
3158 { .name = "TLBI_IPAS2E1IS", .state = ARM_CP_STATE_AA64,
3159 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1,
3160 .access = PL2_W, .type = ARM_CP_NO_RAW,
3161 .writefn = tlbi_aa64_ipas2e1is_write },
3162 { .name = "TLBI_IPAS2LE1IS", .state = ARM_CP_STATE_AA64,
3163 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5,
3164 .access = PL2_W, .type = ARM_CP_NO_RAW,
3165 .writefn = tlbi_aa64_ipas2e1is_write },
3166 { .name = "TLBI_ALLE1IS", .state = ARM_CP_STATE_AA64,
3167 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 4,
3168 .access = PL2_W, .type = ARM_CP_NO_RAW,
3169 .writefn = tlbi_aa64_alle1is_write },
3170 { .name = "TLBI_VMALLS12E1IS", .state = ARM_CP_STATE_AA64,
3171 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 6,
3172 .access = PL2_W, .type = ARM_CP_NO_RAW,
3173 .writefn = tlbi_aa64_alle1is_write },
3174 { .name = "TLBI_IPAS2E1", .state = ARM_CP_STATE_AA64,
3175 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1,
3176 .access = PL2_W, .type = ARM_CP_NO_RAW,
3177 .writefn = tlbi_aa64_ipas2e1_write },
3178 { .name = "TLBI_IPAS2LE1", .state = ARM_CP_STATE_AA64,
3179 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5,
3180 .access = PL2_W, .type = ARM_CP_NO_RAW,
3181 .writefn = tlbi_aa64_ipas2e1_write },
3182 { .name = "TLBI_ALLE1", .state = ARM_CP_STATE_AA64,
3183 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 4,
3184 .access = PL2_W, .type = ARM_CP_NO_RAW,
3185 .writefn = tlbi_aa64_alle1_write },
3186 { .name = "TLBI_VMALLS12E1", .state = ARM_CP_STATE_AA64,
3187 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 6,
3188 .access = PL2_W, .type = ARM_CP_NO_RAW,
3189 .writefn = tlbi_aa64_alle1is_write },
3190 #ifndef CONFIG_USER_ONLY
3191 /* 64 bit address translation operations */
3192 { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
3193 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
3194 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3195 { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
3196 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
3197 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3198 { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
3199 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
3200 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3201 { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
3202 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
3203 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3204 { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
3205 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
3206 .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3207 { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
3208 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
3209 .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3210 { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
3211 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
3212 .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3213 { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
3214 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
3215 .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3216 /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
3217 { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
3218 .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
3219 .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3220 { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
3221 .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
3222 .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3223 { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64,
3224 .type = ARM_CP_ALIAS,
3225 .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0,
3226 .access = PL1_RW, .resetvalue = 0,
3227 .fieldoffset = offsetof(CPUARMState, cp15.par_el[1]),
3228 .writefn = par_write },
3230 /* TLB invalidate last level of translation table walk */
3231 { .name = "TLBIMVALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
3232 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write },
3233 { .name = "TLBIMVAALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7,
3234 .type = ARM_CP_NO_RAW, .access = PL1_W,
3235 .writefn = tlbimvaa_is_write },
3236 { .name = "TLBIMVAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5,
3237 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
3238 { .name = "TLBIMVAAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7,
3239 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write },
3240 /* 32 bit cache operations */
3241 { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
3242 .type = ARM_CP_NOP, .access = PL1_W },
3243 { .name = "BPIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 6,
3244 .type = ARM_CP_NOP, .access = PL1_W },
3245 { .name = "ICIALLU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
3246 .type = ARM_CP_NOP, .access = PL1_W },
3247 { .name = "ICIMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 1,
3248 .type = ARM_CP_NOP, .access = PL1_W },
3249 { .name = "BPIALL", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 6,
3250 .type = ARM_CP_NOP, .access = PL1_W },
3251 { .name = "BPIMVA", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 7,
3252 .type = ARM_CP_NOP, .access = PL1_W },
3253 { .name = "DCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
3254 .type = ARM_CP_NOP, .access = PL1_W },
3255 { .name = "DCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
3256 .type = ARM_CP_NOP, .access = PL1_W },
3257 { .name = "DCCMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 1,
3258 .type = ARM_CP_NOP, .access = PL1_W },
3259 { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
3260 .type = ARM_CP_NOP, .access = PL1_W },
3261 { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1,
3262 .type = ARM_CP_NOP, .access = PL1_W },
3263 { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1,
3264 .type = ARM_CP_NOP, .access = PL1_W },
3265 { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
3266 .type = ARM_CP_NOP, .access = PL1_W },
3267 /* MMU Domain access control / MPU write buffer control */
3268 { .name = "DACR", .cp = 15, .opc1 = 0, .crn = 3, .crm = 0, .opc2 = 0,
3269 .access = PL1_RW, .resetvalue = 0,
3270 .writefn = dacr_write, .raw_writefn = raw_write,
3271 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
3272 offsetoflow32(CPUARMState, cp15.dacr_ns) } },
3273 { .name = "ELR_EL1", .state = ARM_CP_STATE_AA64,
3274 .type = ARM_CP_ALIAS,
3275 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 1,
3277 .fieldoffset = offsetof(CPUARMState, elr_el[1]) },
3278 { .name = "SPSR_EL1", .state = ARM_CP_STATE_AA64,
3279 .type = ARM_CP_ALIAS,
3280 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 0,
3282 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_SVC]) },
3283 /* We rely on the access checks not allowing the guest to write to the
3284 * state field when SPSel indicates that it's being used as the stack
3287 { .name = "SP_EL0", .state = ARM_CP_STATE_AA64,
3288 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 1, .opc2 = 0,
3289 .access = PL1_RW, .accessfn = sp_el0_access,
3290 .type = ARM_CP_ALIAS,
3291 .fieldoffset = offsetof(CPUARMState, sp_el[0]) },
3292 { .name = "SP_EL1", .state = ARM_CP_STATE_AA64,
3293 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0,
3294 .access = PL2_RW, .type = ARM_CP_ALIAS,
3295 .fieldoffset = offsetof(CPUARMState, sp_el[1]) },
3296 { .name = "SPSel", .state = ARM_CP_STATE_AA64,
3297 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0,
3298 .type = ARM_CP_NO_RAW,
3299 .access = PL1_RW, .readfn = spsel_read, .writefn = spsel_write },
3300 { .name = "FPEXC32_EL2", .state = ARM_CP_STATE_AA64,
3301 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 3, .opc2 = 0,
3302 .type = ARM_CP_ALIAS,
3303 .fieldoffset = offsetof(CPUARMState, vfp.xregs[ARM_VFP_FPEXC]),
3304 .access = PL2_RW, .accessfn = fpexc32_access },
3305 { .name = "DACR32_EL2", .state = ARM_CP_STATE_AA64,
3306 .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 0, .opc2 = 0,
3307 .access = PL2_RW, .resetvalue = 0,
3308 .writefn = dacr_write, .raw_writefn = raw_write,
3309 .fieldoffset = offsetof(CPUARMState, cp15.dacr32_el2) },
3310 { .name = "IFSR32_EL2", .state = ARM_CP_STATE_AA64,
3311 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 0, .opc2 = 1,
3312 .access = PL2_RW, .resetvalue = 0,
3313 .fieldoffset = offsetof(CPUARMState, cp15.ifsr32_el2) },
3314 { .name = "SPSR_IRQ", .state = ARM_CP_STATE_AA64,
3315 .type = ARM_CP_ALIAS,
3316 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 0,
3318 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_IRQ]) },
3319 { .name = "SPSR_ABT", .state = ARM_CP_STATE_AA64,
3320 .type = ARM_CP_ALIAS,
3321 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 1,
3323 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_ABT]) },
3324 { .name = "SPSR_UND", .state = ARM_CP_STATE_AA64,
3325 .type = ARM_CP_ALIAS,
3326 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 2,
3328 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_UND]) },
3329 { .name = "SPSR_FIQ", .state = ARM_CP_STATE_AA64,
3330 .type = ARM_CP_ALIAS,
3331 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 3,
3333 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_FIQ]) },
3337 /* Used to describe the behaviour of EL2 regs when EL2 does not exist. */
3338 static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
3339 { .name = "VBAR_EL2", .state = ARM_CP_STATE_AA64,
3340 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
3342 .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore },
3343 { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
3344 .type = ARM_CP_NO_RAW,
3345 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
3347 .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore },
3348 { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
3349 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
3350 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3351 { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
3352 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
3353 .access = PL2_RW, .type = ARM_CP_CONST,
3355 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
3356 .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
3357 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3358 { .name = "AMAIR_EL2", .state = ARM_CP_STATE_BOTH,
3359 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 0,
3360 .access = PL2_RW, .type = ARM_CP_CONST,
3362 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
3363 .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 1,
3364 .access = PL2_RW, .type = ARM_CP_CONST,
3366 { .name = "AFSR0_EL2", .state = ARM_CP_STATE_BOTH,
3367 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 0,
3368 .access = PL2_RW, .type = ARM_CP_CONST,
3370 { .name = "AFSR1_EL2", .state = ARM_CP_STATE_BOTH,
3371 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 1,
3372 .access = PL2_RW, .type = ARM_CP_CONST,
3374 { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
3375 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
3376 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3377 { .name = "VTCR_EL2", .state = ARM_CP_STATE_BOTH,
3378 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
3379 .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
3380 .type = ARM_CP_CONST, .resetvalue = 0 },
3381 { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
3382 .cp = 15, .opc1 = 6, .crm = 2,
3383 .access = PL2_RW, .accessfn = access_el3_aa32ns,
3384 .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
3385 { .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,
3386 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,
3387 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3388 { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
3389 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
3390 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3391 { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
3392 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
3393 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3394 { .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,
3395 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,
3396 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3397 { .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,
3398 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
3400 { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
3401 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
3402 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3403 { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64,
3404 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3,
3405 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3406 { .name = "CNTVOFF", .cp = 15, .opc1 = 4, .crm = 14,
3407 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
3409 { .name = "CNTHP_CVAL_EL2", .state = ARM_CP_STATE_AA64,
3410 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 2,
3411 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3412 { .name = "CNTHP_CVAL", .cp = 15, .opc1 = 6, .crm = 14,
3413 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
3415 { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
3416 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0,
3417 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3418 { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH,
3419 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 1,
3420 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
3421 { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
3422 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
3423 .access = PL2_RW, .accessfn = access_tda,
3424 .type = ARM_CP_CONST, .resetvalue = 0 },
3425 { .name = "HPFAR_EL2", .state = ARM_CP_STATE_BOTH,
3426 .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
3427 .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
3428 .type = ARM_CP_CONST, .resetvalue = 0 },
3432 static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
3434 ARMCPU *cpu = arm_env_get_cpu(env);
3435 uint64_t valid_mask = HCR_MASK;
3437 if (arm_feature(env, ARM_FEATURE_EL3)) {
3438 valid_mask &= ~HCR_HCD;
3440 valid_mask &= ~HCR_TSC;
3443 /* Clear RES0 bits. */
3444 value &= valid_mask;
3446 /* These bits change the MMU setup:
3447 * HCR_VM enables stage 2 translation
3448 * HCR_PTW forbids certain page-table setups
3449 * HCR_DC Disables stage1 and enables stage2 translation
3451 if ((raw_read(env, ri) ^ value) & (HCR_VM | HCR_PTW | HCR_DC)) {
3452 tlb_flush(CPU(cpu), 1);
3454 raw_write(env, ri, value);
3457 static const ARMCPRegInfo el2_cp_reginfo[] = {
3458 { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
3459 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
3460 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),
3461 .writefn = hcr_write },
3462 { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64,
3463 .type = ARM_CP_ALIAS,
3464 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1,
3466 .fieldoffset = offsetof(CPUARMState, elr_el[2]) },
3467 { .name = "ESR_EL2", .state = ARM_CP_STATE_AA64,
3468 .type = ARM_CP_ALIAS,
3469 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
3470 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[2]) },
3471 { .name = "FAR_EL2", .state = ARM_CP_STATE_AA64,
3472 .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 0,
3473 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[2]) },
3474 { .name = "SPSR_EL2", .state = ARM_CP_STATE_AA64,
3475 .type = ARM_CP_ALIAS,
3476 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 0,
3478 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_HYP]) },
3479 { .name = "VBAR_EL2", .state = ARM_CP_STATE_AA64,
3480 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
3481 .access = PL2_RW, .writefn = vbar_write,
3482 .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[2]),
3484 { .name = "SP_EL2", .state = ARM_CP_STATE_AA64,
3485 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 1, .opc2 = 0,
3486 .access = PL3_RW, .type = ARM_CP_ALIAS,
3487 .fieldoffset = offsetof(CPUARMState, sp_el[2]) },
3488 { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
3489 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
3490 .access = PL2_RW, .accessfn = cptr_access, .resetvalue = 0,
3491 .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[2]) },
3492 { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
3493 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
3494 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[2]),
3496 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
3497 .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
3498 .access = PL2_RW, .type = ARM_CP_ALIAS,
3499 .fieldoffset = offsetofhigh32(CPUARMState, cp15.mair_el[2]) },
3500 { .name = "AMAIR_EL2", .state = ARM_CP_STATE_BOTH,
3501 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 0,
3502 .access = PL2_RW, .type = ARM_CP_CONST,
3504 /* HAMAIR1 is mapped to AMAIR_EL2[63:32] */
3505 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
3506 .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 1,
3507 .access = PL2_RW, .type = ARM_CP_CONST,
3509 { .name = "AFSR0_EL2", .state = ARM_CP_STATE_BOTH,
3510 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 0,
3511 .access = PL2_RW, .type = ARM_CP_CONST,
3513 { .name = "AFSR1_EL2", .state = ARM_CP_STATE_BOTH,
3514 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 1,
3515 .access = PL2_RW, .type = ARM_CP_CONST,
3517 { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
3518 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
3519 .access = PL2_RW, .writefn = vmsa_tcr_el1_write,
3520 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
3521 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },
3522 { .name = "VTCR", .state = ARM_CP_STATE_AA32,
3523 .cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
3524 .access = PL2_RW, .accessfn = access_el3_aa32ns,
3525 .fieldoffset = offsetof(CPUARMState, cp15.vtcr_el2) },
3526 { .name = "VTCR_EL2", .state = ARM_CP_STATE_AA64,
3527 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
3528 .access = PL2_RW, .type = ARM_CP_ALIAS,
3529 .fieldoffset = offsetof(CPUARMState, cp15.vtcr_el2) },
3530 { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
3531 .cp = 15, .opc1 = 6, .crm = 2,
3532 .type = ARM_CP_64BIT | ARM_CP_ALIAS,
3533 .access = PL2_RW, .accessfn = access_el3_aa32ns,
3534 .fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2),
3535 .writefn = vttbr_write },
3536 { .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,
3537 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,
3538 .access = PL2_RW, .writefn = vttbr_write,
3539 .fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) },
3540 { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
3541 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
3542 .access = PL2_RW, .raw_writefn = raw_write, .writefn = sctlr_write,
3543 .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[2]) },
3544 { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
3545 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
3546 .access = PL2_RW, .resetvalue = 0,
3547 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },
3548 { .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,
3549 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,
3550 .access = PL2_RW, .resetvalue = 0,
3551 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },
3552 { .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,
3553 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
3554 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },
3555 { .name = "TLBI_ALLE2", .state = ARM_CP_STATE_AA64,
3556 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 0,
3557 .type = ARM_CP_NO_RAW, .access = PL2_W,
3558 .writefn = tlbi_aa64_alle2_write },
3559 { .name = "TLBI_VAE2", .state = ARM_CP_STATE_AA64,
3560 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 1,
3561 .type = ARM_CP_NO_RAW, .access = PL2_W,
3562 .writefn = tlbi_aa64_vae2_write },
3563 { .name = "TLBI_VALE2", .state = ARM_CP_STATE_AA64,
3564 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 5,
3565 .access = PL2_W, .type = ARM_CP_NO_RAW,
3566 .writefn = tlbi_aa64_vae2_write },
3567 { .name = "TLBI_ALLE2IS", .state = ARM_CP_STATE_AA64,
3568 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 0,
3569 .access = PL2_W, .type = ARM_CP_NO_RAW,
3570 .writefn = tlbi_aa64_alle2is_write },
3571 { .name = "TLBI_VAE2IS", .state = ARM_CP_STATE_AA64,
3572 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1,
3573 .type = ARM_CP_NO_RAW, .access = PL2_W,
3574 .writefn = tlbi_aa64_vae2is_write },
3575 { .name = "TLBI_VALE2IS", .state = ARM_CP_STATE_AA64,
3576 .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 5,
3577 .access = PL2_W, .type = ARM_CP_NO_RAW,
3578 .writefn = tlbi_aa64_vae2is_write },
3579 #ifndef CONFIG_USER_ONLY
3580 /* Unlike the other EL2-related AT operations, these must
3581 * UNDEF from EL3 if EL2 is not implemented, which is why we
3582 * define them here rather than with the rest of the AT ops.
3584 { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
3585 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
3586 .access = PL2_W, .accessfn = at_s1e2_access,
3587 .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3588 { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
3589 .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
3590 .access = PL2_W, .accessfn = at_s1e2_access,
3591 .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
3592 /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
3593 * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
3594 * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
3595 * to behave as if SCR.NS was 1.
3597 { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
3599 .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
3600 { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
3602 .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
3603 { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
3604 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
3605 /* ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the
3606 * reset values as IMPDEF. We choose to reset to 3 to comply with
3607 * both ARMv7 and ARMv8.
3609 .access = PL2_RW, .resetvalue = 3,
3610 .fieldoffset = offsetof(CPUARMState, cp15.cnthctl_el2) },
3611 { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64,
3612 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3,
3613 .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 0,
3614 .writefn = gt_cntvoff_write,
3615 .fieldoffset = offsetof(CPUARMState, cp15.cntvoff_el2) },
3616 { .name = "CNTVOFF", .cp = 15, .opc1 = 4, .crm = 14,
3617 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS | ARM_CP_IO,
3618 .writefn = gt_cntvoff_write,
3619 .fieldoffset = offsetof(CPUARMState, cp15.cntvoff_el2) },
3620 { .name = "CNTHP_CVAL_EL2", .state = ARM_CP_STATE_AA64,
3621 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 2,
3622 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval),
3623 .type = ARM_CP_IO, .access = PL2_RW,
3624 .writefn = gt_hyp_cval_write, .raw_writefn = raw_write },
3625 { .name = "CNTHP_CVAL", .cp = 15, .opc1 = 6, .crm = 14,
3626 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval),
3627 .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_IO,
3628 .writefn = gt_hyp_cval_write, .raw_writefn = raw_write },
3629 { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
3630 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0,
3631 .type = ARM_CP_IO, .access = PL2_RW,
3632 .resetfn = gt_hyp_timer_reset,
3633 .readfn = gt_hyp_tval_read, .writefn = gt_hyp_tval_write },
3634 { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH,
3636 .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 1,
3638 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].ctl),
3640 .writefn = gt_hyp_ctl_write, .raw_writefn = raw_write },
3642 /* The only field of MDCR_EL2 that has a defined architectural reset value
3643 * is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N; but we
3644 * don't impelment any PMU event counters, so using zero as a reset
3645 * value for MDCR_EL2 is okay
3647 { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
3648 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
3649 .access = PL2_RW, .resetvalue = 0,
3650 .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2), },
3651 { .name = "HPFAR", .state = ARM_CP_STATE_AA32,
3652 .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
3653 .access = PL2_RW, .accessfn = access_el3_aa32ns,
3654 .fieldoffset = offsetof(CPUARMState, cp15.hpfar_el2) },
3655 { .name = "HPFAR_EL2", .state = ARM_CP_STATE_AA64,
3656 .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
3658 .fieldoffset = offsetof(CPUARMState, cp15.hpfar_el2) },
3662 static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
3665 /* The NSACR is RW at EL3, and RO for NS EL1 and NS EL2.
3666 * At Secure EL1 it traps to EL3.
3668 if (arm_current_el(env) == 3) {
3669 return CP_ACCESS_OK;
3671 if (arm_is_secure_below_el3(env)) {
3672 return CP_ACCESS_TRAP_EL3;
3674 /* Accesses from EL1 NS and EL2 NS are UNDEF for write but allow reads. */
3676 return CP_ACCESS_OK;
3678 return CP_ACCESS_TRAP_UNCATEGORIZED;
3681 static const ARMCPRegInfo el3_cp_reginfo[] = {
3682 { .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,
3683 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,
3684 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),
3685 .resetvalue = 0, .writefn = scr_write },
3686 { .name = "SCR", .type = ARM_CP_ALIAS,
3687 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,
3688 .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
3689 .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),
3690 .writefn = scr_write },
3691 { .name = "MDCR_EL3", .state = ARM_CP_STATE_AA64,
3692 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 3, .opc2 = 1,
3694 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el3) },
3695 { .name = "SDCR", .type = ARM_CP_ALIAS,
3696 .cp = 15, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 1,
3697 .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
3698 .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
3699 { .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,
3700 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,
3701 .access = PL3_RW, .resetvalue = 0,
3702 .fieldoffset = offsetof(CPUARMState, cp15.sder) },
3704 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 1,
3705 .access = PL3_RW, .resetvalue = 0,
3706 .fieldoffset = offsetoflow32(CPUARMState, cp15.sder) },
3707 { .name = "MVBAR", .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
3708 .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
3709 .writefn = vbar_write, .resetvalue = 0,
3710 .fieldoffset = offsetof(CPUARMState, cp15.mvbar) },
3711 { .name = "SCTLR_EL3", .state = ARM_CP_STATE_AA64,
3712 .type = ARM_CP_ALIAS, /* reset handled by AArch32 view */
3713 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 0,
3714 .access = PL3_RW, .raw_writefn = raw_write, .writefn = sctlr_write,
3715 .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[3]) },
3716 { .name = "TTBR0_EL3", .state = ARM_CP_STATE_AA64,
3717 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 0,
3718 .access = PL3_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
3719 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[3]) },
3720 { .name = "TCR_EL3", .state = ARM_CP_STATE_AA64,
3721 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 2,
3722 .access = PL3_RW, .writefn = vmsa_tcr_el1_write,
3723 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
3724 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[3]) },
3725 { .name = "ELR_EL3", .state = ARM_CP_STATE_AA64,
3726 .type = ARM_CP_ALIAS,
3727 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 1,
3729 .fieldoffset = offsetof(CPUARMState, elr_el[3]) },
3730 { .name = "ESR_EL3", .state = ARM_CP_STATE_AA64,
3731 .type = ARM_CP_ALIAS,
3732 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 2, .opc2 = 0,
3733 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[3]) },
3734 { .name = "FAR_EL3", .state = ARM_CP_STATE_AA64,
3735 .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 0,
3736 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[3]) },
3737 { .name = "SPSR_EL3", .state = ARM_CP_STATE_AA64,
3738 .type = ARM_CP_ALIAS,
3739 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 0,
3741 .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_MON]) },
3742 { .name = "VBAR_EL3", .state = ARM_CP_STATE_AA64,
3743 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 0,
3744 .access = PL3_RW, .writefn = vbar_write,
3745 .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[3]),
3747 { .name = "CPTR_EL3", .state = ARM_CP_STATE_AA64,
3748 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 2,
3749 .access = PL3_RW, .accessfn = cptr_access, .resetvalue = 0,
3750 .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[3]) },
3751 { .name = "TPIDR_EL3", .state = ARM_CP_STATE_AA64,
3752 .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 2,
3753 .access = PL3_RW, .resetvalue = 0,
3754 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[3]) },
3755 { .name = "AMAIR_EL3", .state = ARM_CP_STATE_AA64,
3756 .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 3, .opc2 = 0,
3757 .access = PL3_RW, .type = ARM_CP_CONST,
3759 { .name = "AFSR0_EL3", .state = ARM_CP_STATE_BOTH,
3760 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 1, .opc2 = 0,
3761 .access = PL3_RW, .type = ARM_CP_CONST,
3763 { .name = "AFSR1_EL3", .state = ARM_CP_STATE_BOTH,
3764 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 1, .opc2 = 1,
3765 .access = PL3_RW, .type = ARM_CP_CONST,
3767 { .name = "TLBI_ALLE3IS", .state = ARM_CP_STATE_AA64,
3768 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 3, .opc2 = 0,
3769 .access = PL3_W, .type = ARM_CP_NO_RAW,
3770 .writefn = tlbi_aa64_alle3is_write },
3771 { .name = "TLBI_VAE3IS", .state = ARM_CP_STATE_AA64,
3772 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 3, .opc2 = 1,
3773 .access = PL3_W, .type = ARM_CP_NO_RAW,
3774 .writefn = tlbi_aa64_vae3is_write },
3775 { .name = "TLBI_VALE3IS", .state = ARM_CP_STATE_AA64,
3776 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 3, .opc2 = 5,
3777 .access = PL3_W, .type = ARM_CP_NO_RAW,
3778 .writefn = tlbi_aa64_vae3is_write },
3779 { .name = "TLBI_ALLE3", .state = ARM_CP_STATE_AA64,
3780 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 0,
3781 .access = PL3_W, .type = ARM_CP_NO_RAW,
3782 .writefn = tlbi_aa64_alle3_write },
3783 { .name = "TLBI_VAE3", .state = ARM_CP_STATE_AA64,
3784 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 1,
3785 .access = PL3_W, .type = ARM_CP_NO_RAW,
3786 .writefn = tlbi_aa64_vae3_write },
3787 { .name = "TLBI_VALE3", .state = ARM_CP_STATE_AA64,
3788 .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 5,
3789 .access = PL3_W, .type = ARM_CP_NO_RAW,
3790 .writefn = tlbi_aa64_vae3_write },
3794 static CPAccessResult ctr_el0_access(CPUARMState *env, const ARMCPRegInfo *ri,
3797 /* Only accessible in EL0 if SCTLR.UCT is set (and only in AArch64,
3798 * but the AArch32 CTR has its own reginfo struct)
3800 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UCT)) {
3801 return CP_ACCESS_TRAP;
3803 return CP_ACCESS_OK;
3806 static void oslar_write(CPUARMState *env, const ARMCPRegInfo *ri,
3809 /* Writes to OSLAR_EL1 may update the OS lock status, which can be
3810 * read via a bit in OSLSR_EL1.
3814 if (ri->state == ARM_CP_STATE_AA32) {
3815 oslock = (value == 0xC5ACCE55);
3820 env->cp15.oslsr_el1 = deposit32(env->cp15.oslsr_el1, 1, 1, oslock);
3823 static const ARMCPRegInfo debug_cp_reginfo[] = {
3824 /* DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped
3825 * debug components. The AArch64 version of DBGDRAR is named MDRAR_EL1;
3826 * unlike DBGDRAR it is never accessible from EL0.
3827 * DBGDSAR is deprecated and must RAZ from v8 anyway, so it has no AArch64
3830 { .name = "DBGDRAR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 0,
3831 .access = PL0_R, .accessfn = access_tdra,
3832 .type = ARM_CP_CONST, .resetvalue = 0 },
3833 { .name = "MDRAR_EL1", .state = ARM_CP_STATE_AA64,
3834 .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,
3835 .access = PL1_R, .accessfn = access_tdra,
3836 .type = ARM_CP_CONST, .resetvalue = 0 },
3837 { .name = "DBGDSAR", .cp = 14, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
3838 .access = PL0_R, .accessfn = access_tdra,
3839 .type = ARM_CP_CONST, .resetvalue = 0 },
3840 /* Monitor debug system control register; the 32-bit alias is DBGDSCRext. */
3841 { .name = "MDSCR_EL1", .state = ARM_CP_STATE_BOTH,
3842 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
3843 .access = PL1_RW, .accessfn = access_tda,
3844 .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),
3846 /* MDCCSR_EL0, aka DBGDSCRint. This is a read-only mirror of MDSCR_EL1.
3847 * We don't implement the configurable EL0 access.
3849 { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_BOTH,
3850 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
3851 .type = ARM_CP_ALIAS,
3852 .access = PL1_R, .accessfn = access_tda,
3853 .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), },
3854 { .name = "OSLAR_EL1", .state = ARM_CP_STATE_BOTH,
3855 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 4,
3856 .access = PL1_W, .type = ARM_CP_NO_RAW,
3857 .accessfn = access_tdosa,
3858 .writefn = oslar_write },
3859 { .name = "OSLSR_EL1", .state = ARM_CP_STATE_BOTH,
3860 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 4,
3861 .access = PL1_R, .resetvalue = 10,
3862 .accessfn = access_tdosa,
3863 .fieldoffset = offsetof(CPUARMState, cp15.oslsr_el1) },
3864 /* Dummy OSDLR_EL1: 32-bit Linux will read this */
3865 { .name = "OSDLR_EL1", .state = ARM_CP_STATE_BOTH,
3866 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 4,
3867 .access = PL1_RW, .accessfn = access_tdosa,
3868 .type = ARM_CP_NOP },
3869 /* Dummy DBGVCR: Linux wants to clear this on startup, but we don't
3870 * implement vector catch debug events yet.
3873 .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
3874 .access = PL1_RW, .accessfn = access_tda,
3875 .type = ARM_CP_NOP },
3879 static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
3880 /* 64 bit access versions of the (dummy) debug registers */
3881 { .name = "DBGDRAR", .cp = 14, .crm = 1, .opc1 = 0,
3882 .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
3883 { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,
3884 .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
3888 void hw_watchpoint_update(ARMCPU *cpu, int n)
3890 CPUARMState *env = &cpu->env;
3892 vaddr wvr = env->cp15.dbgwvr[n];
3893 uint64_t wcr = env->cp15.dbgwcr[n];
3895 int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;
3897 if (env->cpu_watchpoint[n]) {
3898 cpu_watchpoint_remove_by_ref(CPU(cpu), env->cpu_watchpoint[n]);
3899 env->cpu_watchpoint[n] = NULL;
3902 if (!extract64(wcr, 0, 1)) {
3903 /* E bit clear : watchpoint disabled */
3907 switch (extract64(wcr, 3, 2)) {
3909 /* LSC 00 is reserved and must behave as if the wp is disabled */
3912 flags |= BP_MEM_READ;
3915 flags |= BP_MEM_WRITE;
3918 flags |= BP_MEM_ACCESS;
3922 /* Attempts to use both MASK and BAS fields simultaneously are
3923 * CONSTRAINED UNPREDICTABLE; we opt to ignore BAS in this case,
3924 * thus generating a watchpoint for every byte in the masked region.
3926 mask = extract64(wcr, 24, 4);
3927 if (mask == 1 || mask == 2) {
3928 /* Reserved values of MASK; we must act as if the mask value was
3929 * some non-reserved value, or as if the watchpoint were disabled.
3930 * We choose the latter.
3934 /* Watchpoint covers an aligned area up to 2GB in size */
3936 /* If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE
3937 * whether the watchpoint fires when the unmasked bits match; we opt
3938 * to generate the exceptions.
3942 /* Watchpoint covers bytes defined by the byte address select bits */
3943 int bas = extract64(wcr, 5, 8);
3947 /* This must act as if the watchpoint is disabled */
3951 if (extract64(wvr, 2, 1)) {
3952 /* Deprecated case of an only 4-aligned address. BAS[7:4] are
3953 * ignored, and BAS[3:0] define which bytes to watch.
3957 /* The BAS bits are supposed to be programmed to indicate a contiguous
3958 * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether
3959 * we fire for each byte in the word/doubleword addressed by the WVR.
3960 * We choose to ignore any non-zero bits after the first range of 1s.
3962 basstart = ctz32(bas);
3963 len = cto32(bas >> basstart);
3967 cpu_watchpoint_insert(CPU(cpu), wvr, len, flags,
3968 &env->cpu_watchpoint[n]);
3971 void hw_watchpoint_update_all(ARMCPU *cpu)
3974 CPUARMState *env = &cpu->env;
3976 /* Completely clear out existing QEMU watchpoints and our array, to
3977 * avoid possible stale entries following migration load.
3979 cpu_watchpoint_remove_all(CPU(cpu), BP_CPU);
3980 memset(env->cpu_watchpoint, 0, sizeof(env->cpu_watchpoint));
3982 for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_watchpoint); i++) {
3983 hw_watchpoint_update(cpu, i);
3987 static void dbgwvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
3990 ARMCPU *cpu = arm_env_get_cpu(env);
3993 /* Bits [63:49] are hardwired to the value of bit [48]; that is, the
3994 * register reads and behaves as if values written are sign extended.
3995 * Bits [1:0] are RES0.
3997 value = sextract64(value, 0, 49) & ~3ULL;
3999 raw_write(env, ri, value);
4000 hw_watchpoint_update(cpu, i);
4003 static void dbgwcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4006 ARMCPU *cpu = arm_env_get_cpu(env);
4009 raw_write(env, ri, value);
4010 hw_watchpoint_update(cpu, i);
4013 void hw_breakpoint_update(ARMCPU *cpu, int n)
4015 CPUARMState *env = &cpu->env;
4016 uint64_t bvr = env->cp15.dbgbvr[n];
4017 uint64_t bcr = env->cp15.dbgbcr[n];
4022 if (env->cpu_breakpoint[n]) {
4023 cpu_breakpoint_remove_by_ref(CPU(cpu), env->cpu_breakpoint[n]);
4024 env->cpu_breakpoint[n] = NULL;
4027 if (!extract64(bcr, 0, 1)) {
4028 /* E bit clear : watchpoint disabled */
4032 bt = extract64(bcr, 20, 4);
4035 case 4: /* unlinked address mismatch (reserved if AArch64) */
4036 case 5: /* linked address mismatch (reserved if AArch64) */
4037 qemu_log_mask(LOG_UNIMP,
4038 "arm: address mismatch breakpoint types not implemented");
4040 case 0: /* unlinked address match */
4041 case 1: /* linked address match */
4043 /* Bits [63:49] are hardwired to the value of bit [48]; that is,
4044 * we behave as if the register was sign extended. Bits [1:0] are
4045 * RES0. The BAS field is used to allow setting breakpoints on 16
4046 * bit wide instructions; it is CONSTRAINED UNPREDICTABLE whether
4047 * a bp will fire if the addresses covered by the bp and the addresses
4048 * covered by the insn overlap but the insn doesn't start at the
4049 * start of the bp address range. We choose to require the insn and
4050 * the bp to have the same address. The constraints on writing to
4051 * BAS enforced in dbgbcr_write mean we have only four cases:
4052 * 0b0000 => no breakpoint
4053 * 0b0011 => breakpoint on addr
4054 * 0b1100 => breakpoint on addr + 2
4055 * 0b1111 => breakpoint on addr
4056 * See also figure D2-3 in the v8 ARM ARM (DDI0487A.c).
4058 int bas = extract64(bcr, 5, 4);
4059 addr = sextract64(bvr, 0, 49) & ~3ULL;
4068 case 2: /* unlinked context ID match */
4069 case 8: /* unlinked VMID match (reserved if no EL2) */
4070 case 10: /* unlinked context ID and VMID match (reserved if no EL2) */
4071 qemu_log_mask(LOG_UNIMP,
4072 "arm: unlinked context breakpoint types not implemented");
4074 case 9: /* linked VMID match (reserved if no EL2) */
4075 case 11: /* linked context ID and VMID match (reserved if no EL2) */
4076 case 3: /* linked context ID match */
4078 /* We must generate no events for Linked context matches (unless
4079 * they are linked to by some other bp/wp, which is handled in
4080 * updates for the linking bp/wp). We choose to also generate no events
4081 * for reserved values.
4086 cpu_breakpoint_insert(CPU(cpu), addr, flags, &env->cpu_breakpoint[n]);
4089 void hw_breakpoint_update_all(ARMCPU *cpu)
4092 CPUARMState *env = &cpu->env;
4094 /* Completely clear out existing QEMU breakpoints and our array, to
4095 * avoid possible stale entries following migration load.
4097 cpu_breakpoint_remove_all(CPU(cpu), BP_CPU);
4098 memset(env->cpu_breakpoint, 0, sizeof(env->cpu_breakpoint));
4100 for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_breakpoint); i++) {
4101 hw_breakpoint_update(cpu, i);
4105 static void dbgbvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4108 ARMCPU *cpu = arm_env_get_cpu(env);
4111 raw_write(env, ri, value);
4112 hw_breakpoint_update(cpu, i);
4115 static void dbgbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
4118 ARMCPU *cpu = arm_env_get_cpu(env);
4121 /* BAS[3] is a read-only copy of BAS[2], and BAS[1] a read-only
4124 value = deposit64(value, 6, 1, extract64(value, 5, 1));
4125 value = deposit64(value, 8, 1, extract64(value, 7, 1));
4127 raw_write(env, ri, value);
4128 hw_breakpoint_update(cpu, i);
4131 static void define_debug_regs(ARMCPU *cpu)
4133 /* Define v7 and v8 architectural debug registers.
4134 * These are just dummy implementations for now.
4137 int wrps, brps, ctx_cmps;
4138 ARMCPRegInfo dbgdidr = {
4139 .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
4140 .access = PL0_R, .accessfn = access_tda,
4141 .type = ARM_CP_CONST, .resetvalue = cpu->dbgdidr,
4144 /* Note that all these register fields hold "number of Xs minus 1". */
4145 brps = extract32(cpu->dbgdidr, 24, 4);
4146 wrps = extract32(cpu->dbgdidr, 28, 4);
4147 ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
4149 assert(ctx_cmps <= brps);
4151 /* The DBGDIDR and ID_AA64DFR0_EL1 define various properties
4152 * of the debug registers such as number of breakpoints;
4153 * check that if they both exist then they agree.
4155 if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
4156 assert(extract32(cpu->id_aa64dfr0, 12, 4) == brps);
4157 assert(extract32(cpu->id_aa64dfr0, 20, 4) == wrps);
4158 assert(extract32(cpu->id_aa64dfr0, 28, 4) == ctx_cmps);
4161 define_one_arm_cp_reg(cpu, &dbgdidr);
4162 define_arm_cp_regs(cpu, debug_cp_reginfo);
4164 if (arm_feature(&cpu->env, ARM_FEATURE_LPAE)) {
4165 define_arm_cp_regs(cpu, debug_lpae_cp_reginfo);
4168 for (i = 0; i < brps + 1; i++) {
4169 ARMCPRegInfo dbgregs[] = {
4170 { .name = "DBGBVR", .state = ARM_CP_STATE_BOTH,
4171 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 4,
4172 .access = PL1_RW, .accessfn = access_tda,
4173 .fieldoffset = offsetof(CPUARMState, cp15.dbgbvr[i]),
4174 .writefn = dbgbvr_write, .raw_writefn = raw_write
4176 { .name = "DBGBCR", .state = ARM_CP_STATE_BOTH,
4177 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 5,
4178 .access = PL1_RW, .accessfn = access_tda,
4179 .fieldoffset = offsetof(CPUARMState, cp15.dbgbcr[i]),
4180 .writefn = dbgbcr_write, .raw_writefn = raw_write
4184 define_arm_cp_regs(cpu, dbgregs);
4187 for (i = 0; i < wrps + 1; i++) {
4188 ARMCPRegInfo dbgregs[] = {
4189 { .name = "DBGWVR", .state = ARM_CP_STATE_BOTH,
4190 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 6,
4191 .access = PL1_RW, .accessfn = access_tda,
4192 .fieldoffset = offsetof(CPUARMState, cp15.dbgwvr[i]),
4193 .writefn = dbgwvr_write, .raw_writefn = raw_write
4195 { .name = "DBGWCR", .state = ARM_CP_STATE_BOTH,
4196 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 7,
4197 .access = PL1_RW, .accessfn = access_tda,
4198 .fieldoffset = offsetof(CPUARMState, cp15.dbgwcr[i]),
4199 .writefn = dbgwcr_write, .raw_writefn = raw_write
4203 define_arm_cp_regs(cpu, dbgregs);
4207 void register_cp_regs_for_features(ARMCPU *cpu)
4209 /* Register all the coprocessor registers based on feature bits */
4210 CPUARMState *env = &cpu->env;
4211 if (arm_feature(env, ARM_FEATURE_M)) {
4212 /* M profile has no coprocessor registers */
4216 define_arm_cp_regs(cpu, cp_reginfo);
4217 if (!arm_feature(env, ARM_FEATURE_V8)) {
4218 /* Must go early as it is full of wildcards that may be
4219 * overridden by later definitions.
4221 define_arm_cp_regs(cpu, not_v8_cp_reginfo);
4224 if (arm_feature(env, ARM_FEATURE_V6)) {
4225 /* The ID registers all have impdef reset values */
4226 ARMCPRegInfo v6_idregs[] = {
4227 { .name = "ID_PFR0", .state = ARM_CP_STATE_BOTH,
4228 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
4229 .access = PL1_R, .type = ARM_CP_CONST,
4230 .resetvalue = cpu->id_pfr0 },
4231 { .name = "ID_PFR1", .state = ARM_CP_STATE_BOTH,
4232 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 1,
4233 .access = PL1_R, .type = ARM_CP_CONST,
4234 .resetvalue = cpu->id_pfr1 },
4235 { .name = "ID_DFR0", .state = ARM_CP_STATE_BOTH,
4236 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
4237 .access = PL1_R, .type = ARM_CP_CONST,
4238 .resetvalue = cpu->id_dfr0 },
4239 { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
4240 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
4241 .access = PL1_R, .type = ARM_CP_CONST,
4242 .resetvalue = cpu->id_afr0 },
4243 { .name = "ID_MMFR0", .state = ARM_CP_STATE_BOTH,
4244 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
4245 .access = PL1_R, .type = ARM_CP_CONST,
4246 .resetvalue = cpu->id_mmfr0 },
4247 { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
4248 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
4249 .access = PL1_R, .type = ARM_CP_CONST,
4250 .resetvalue = cpu->id_mmfr1 },
4251 { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
4252 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
4253 .access = PL1_R, .type = ARM_CP_CONST,
4254 .resetvalue = cpu->id_mmfr2 },
4255 { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
4256 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
4257 .access = PL1_R, .type = ARM_CP_CONST,
4258 .resetvalue = cpu->id_mmfr3 },
4259 { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
4260 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
4261 .access = PL1_R, .type = ARM_CP_CONST,
4262 .resetvalue = cpu->id_isar0 },
4263 { .name = "ID_ISAR1", .state = ARM_CP_STATE_BOTH,
4264 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 1,
4265 .access = PL1_R, .type = ARM_CP_CONST,
4266 .resetvalue = cpu->id_isar1 },
4267 { .name = "ID_ISAR2", .state = ARM_CP_STATE_BOTH,
4268 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
4269 .access = PL1_R, .type = ARM_CP_CONST,
4270 .resetvalue = cpu->id_isar2 },
4271 { .name = "ID_ISAR3", .state = ARM_CP_STATE_BOTH,
4272 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 3,
4273 .access = PL1_R, .type = ARM_CP_CONST,
4274 .resetvalue = cpu->id_isar3 },
4275 { .name = "ID_ISAR4", .state = ARM_CP_STATE_BOTH,
4276 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 4,
4277 .access = PL1_R, .type = ARM_CP_CONST,
4278 .resetvalue = cpu->id_isar4 },
4279 { .name = "ID_ISAR5", .state = ARM_CP_STATE_BOTH,
4280 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5,
4281 .access = PL1_R, .type = ARM_CP_CONST,
4282 .resetvalue = cpu->id_isar5 },
4283 /* 6..7 are as yet unallocated and must RAZ */
4284 { .name = "ID_ISAR6", .cp = 15, .crn = 0, .crm = 2,
4285 .opc1 = 0, .opc2 = 6, .access = PL1_R, .type = ARM_CP_CONST,
4287 { .name = "ID_ISAR7", .cp = 15, .crn = 0, .crm = 2,
4288 .opc1 = 0, .opc2 = 7, .access = PL1_R, .type = ARM_CP_CONST,
4292 define_arm_cp_regs(cpu, v6_idregs);
4293 define_arm_cp_regs(cpu, v6_cp_reginfo);
4295 define_arm_cp_regs(cpu, not_v6_cp_reginfo);
4297 if (arm_feature(env, ARM_FEATURE_V6K)) {
4298 define_arm_cp_regs(cpu, v6k_cp_reginfo);
4300 if (arm_feature(env, ARM_FEATURE_V7MP) &&
4301 !arm_feature(env, ARM_FEATURE_MPU)) {
4302 define_arm_cp_regs(cpu, v7mp_cp_reginfo);
4304 if (arm_feature(env, ARM_FEATURE_V7)) {
4305 /* v7 performance monitor control register: same implementor
4306 * field as main ID register, and we implement only the cycle
4309 #ifndef CONFIG_USER_ONLY
4310 ARMCPRegInfo pmcr = {
4311 .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
4313 .type = ARM_CP_IO | ARM_CP_ALIAS,
4314 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
4315 .accessfn = pmreg_access, .writefn = pmcr_write,
4316 .raw_writefn = raw_write,
4318 ARMCPRegInfo pmcr64 = {
4319 .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
4320 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
4321 .access = PL0_RW, .accessfn = pmreg_access,
4323 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
4324 .resetvalue = cpu->midr & 0xff000000,
4325 .writefn = pmcr_write, .raw_writefn = raw_write,
4327 define_one_arm_cp_reg(cpu, &pmcr);
4328 define_one_arm_cp_reg(cpu, &pmcr64);
4330 ARMCPRegInfo clidr = {
4331 .name = "CLIDR", .state = ARM_CP_STATE_BOTH,
4332 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 1,
4333 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->clidr
4335 define_one_arm_cp_reg(cpu, &clidr);
4336 define_arm_cp_regs(cpu, v7_cp_reginfo);
4337 define_debug_regs(cpu);
4339 define_arm_cp_regs(cpu, not_v7_cp_reginfo);
4341 if (arm_feature(env, ARM_FEATURE_V8)) {
4342 /* AArch64 ID registers, which all have impdef reset values */
4343 ARMCPRegInfo v8_idregs[] = {
4344 { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64,
4345 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0,
4346 .access = PL1_R, .type = ARM_CP_CONST,
4347 .resetvalue = cpu->id_aa64pfr0 },
4348 { .name = "ID_AA64PFR1_EL1", .state = ARM_CP_STATE_AA64,
4349 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1,
4350 .access = PL1_R, .type = ARM_CP_CONST,
4351 .resetvalue = cpu->id_aa64pfr1},
4352 { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
4353 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
4354 .access = PL1_R, .type = ARM_CP_CONST,
4355 /* We mask out the PMUVer field, because we don't currently
4356 * implement the PMU. Not advertising it prevents the guest
4357 * from trying to use it and getting UNDEFs on registers we
4360 .resetvalue = cpu->id_aa64dfr0 & ~0xf00 },
4361 { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
4362 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
4363 .access = PL1_R, .type = ARM_CP_CONST,
4364 .resetvalue = cpu->id_aa64dfr1 },
4365 { .name = "ID_AA64AFR0_EL1", .state = ARM_CP_STATE_AA64,
4366 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 4,
4367 .access = PL1_R, .type = ARM_CP_CONST,
4368 .resetvalue = cpu->id_aa64afr0 },
4369 { .name = "ID_AA64AFR1_EL1", .state = ARM_CP_STATE_AA64,
4370 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 5,
4371 .access = PL1_R, .type = ARM_CP_CONST,
4372 .resetvalue = cpu->id_aa64afr1 },
4373 { .name = "ID_AA64ISAR0_EL1", .state = ARM_CP_STATE_AA64,
4374 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 0,
4375 .access = PL1_R, .type = ARM_CP_CONST,
4376 .resetvalue = cpu->id_aa64isar0 },
4377 { .name = "ID_AA64ISAR1_EL1", .state = ARM_CP_STATE_AA64,
4378 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 1,
4379 .access = PL1_R, .type = ARM_CP_CONST,
4380 .resetvalue = cpu->id_aa64isar1 },
4381 { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
4382 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
4383 .access = PL1_R, .type = ARM_CP_CONST,
4384 .resetvalue = cpu->id_aa64mmfr0 },
4385 { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
4386 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
4387 .access = PL1_R, .type = ARM_CP_CONST,
4388 .resetvalue = cpu->id_aa64mmfr1 },
4389 { .name = "MVFR0_EL1", .state = ARM_CP_STATE_AA64,
4390 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0,
4391 .access = PL1_R, .type = ARM_CP_CONST,
4392 .resetvalue = cpu->mvfr0 },
4393 { .name = "MVFR1_EL1", .state = ARM_CP_STATE_AA64,
4394 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1,
4395 .access = PL1_R, .type = ARM_CP_CONST,
4396 .resetvalue = cpu->mvfr1 },
4397 { .name = "MVFR2_EL1", .state = ARM_CP_STATE_AA64,
4398 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
4399 .access = PL1_R, .type = ARM_CP_CONST,
4400 .resetvalue = cpu->mvfr2 },
4401 { .name = "PMCEID0", .state = ARM_CP_STATE_AA32,
4402 .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 6,
4403 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
4404 .resetvalue = cpu->pmceid0 },
4405 { .name = "PMCEID0_EL0", .state = ARM_CP_STATE_AA64,
4406 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 6,
4407 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
4408 .resetvalue = cpu->pmceid0 },
4409 { .name = "PMCEID1", .state = ARM_CP_STATE_AA32,
4410 .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 7,
4411 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
4412 .resetvalue = cpu->pmceid1 },
4413 { .name = "PMCEID1_EL0", .state = ARM_CP_STATE_AA64,
4414 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 7,
4415 .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
4416 .resetvalue = cpu->pmceid1 },
4419 /* RVBAR_EL1 is only implemented if EL1 is the highest EL */
4420 if (!arm_feature(env, ARM_FEATURE_EL3) &&
4421 !arm_feature(env, ARM_FEATURE_EL2)) {
4422 ARMCPRegInfo rvbar = {
4423 .name = "RVBAR_EL1", .state = ARM_CP_STATE_AA64,
4424 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
4425 .type = ARM_CP_CONST, .access = PL1_R, .resetvalue = cpu->rvbar
4427 define_one_arm_cp_reg(cpu, &rvbar);
4429 define_arm_cp_regs(cpu, v8_idregs);
4430 define_arm_cp_regs(cpu, v8_cp_reginfo);
4432 if (arm_feature(env, ARM_FEATURE_EL2)) {
4433 uint64_t vmpidr_def = mpidr_read_val(env);
4434 ARMCPRegInfo vpidr_regs[] = {
4435 { .name = "VPIDR", .state = ARM_CP_STATE_AA32,
4436 .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
4437 .access = PL2_RW, .accessfn = access_el3_aa32ns,
4438 .resetvalue = cpu->midr,
4439 .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
4440 { .name = "VPIDR_EL2", .state = ARM_CP_STATE_AA64,
4441 .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
4442 .access = PL2_RW, .resetvalue = cpu->midr,
4443 .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
4444 { .name = "VMPIDR", .state = ARM_CP_STATE_AA32,
4445 .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
4446 .access = PL2_RW, .accessfn = access_el3_aa32ns,
4447 .resetvalue = vmpidr_def,
4448 .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
4449 { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_AA64,
4450 .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
4452 .resetvalue = vmpidr_def,
4453 .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
4456 define_arm_cp_regs(cpu, vpidr_regs);
4457 define_arm_cp_regs(cpu, el2_cp_reginfo);
4458 /* RVBAR_EL2 is only implemented if EL2 is the highest EL */
4459 if (!arm_feature(env, ARM_FEATURE_EL3)) {
4460 ARMCPRegInfo rvbar = {
4461 .name = "RVBAR_EL2", .state = ARM_CP_STATE_AA64,
4462 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 1,
4463 .type = ARM_CP_CONST, .access = PL2_R, .resetvalue = cpu->rvbar
4465 define_one_arm_cp_reg(cpu, &rvbar);
4468 /* If EL2 is missing but higher ELs are enabled, we need to
4469 * register the no_el2 reginfos.
4471 if (arm_feature(env, ARM_FEATURE_EL3)) {
4472 /* When EL3 exists but not EL2, VPIDR and VMPIDR take the value
4473 * of MIDR_EL1 and MPIDR_EL1.
4475 ARMCPRegInfo vpidr_regs[] = {
4476 { .name = "VPIDR_EL2", .state = ARM_CP_STATE_BOTH,
4477 .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
4478 .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
4479 .type = ARM_CP_CONST, .resetvalue = cpu->midr,
4480 .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
4481 { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_BOTH,
4482 .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
4483 .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
4484 .type = ARM_CP_NO_RAW,
4485 .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
4488 define_arm_cp_regs(cpu, vpidr_regs);
4489 define_arm_cp_regs(cpu, el3_no_el2_cp_reginfo);
4492 if (arm_feature(env, ARM_FEATURE_EL3)) {
4493 define_arm_cp_regs(cpu, el3_cp_reginfo);
4494 ARMCPRegInfo rvbar = {
4495 .name = "RVBAR_EL3", .state = ARM_CP_STATE_AA64,
4496 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 1,
4497 .type = ARM_CP_CONST, .access = PL3_R, .resetvalue = cpu->rvbar
4499 define_one_arm_cp_reg(cpu, &rvbar);
4501 /* The behaviour of NSACR is sufficiently various that we don't
4502 * try to describe it in a single reginfo:
4503 * if EL3 is 64 bit, then trap to EL3 from S EL1,
4504 * reads as constant 0xc00 from NS EL1 and NS EL2
4505 * if EL3 is 32 bit, then RW at EL3, RO at NS EL1 and NS EL2
4506 * if v7 without EL3, register doesn't exist
4507 * if v8 without EL3, reads as constant 0xc00 from NS EL1 and NS EL2
4509 if (arm_feature(env, ARM_FEATURE_EL3)) {
4510 if (arm_feature(env, ARM_FEATURE_AARCH64)) {
4511 ARMCPRegInfo nsacr = {
4512 .name = "NSACR", .type = ARM_CP_CONST,
4513 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
4514 .access = PL1_RW, .accessfn = nsacr_access,
4517 define_one_arm_cp_reg(cpu, &nsacr);
4519 ARMCPRegInfo nsacr = {
4521 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
4522 .access = PL3_RW | PL1_R,
4524 .fieldoffset = offsetof(CPUARMState, cp15.nsacr)
4526 define_one_arm_cp_reg(cpu, &nsacr);
4529 if (arm_feature(env, ARM_FEATURE_V8)) {
4530 ARMCPRegInfo nsacr = {
4531 .name = "NSACR", .type = ARM_CP_CONST,
4532 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
4536 define_one_arm_cp_reg(cpu, &nsacr);
4540 if (arm_feature(env, ARM_FEATURE_MPU)) {
4541 if (arm_feature(env, ARM_FEATURE_V6)) {
4542 /* PMSAv6 not implemented */
4543 assert(arm_feature(env, ARM_FEATURE_V7));
4544 define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
4545 define_arm_cp_regs(cpu, pmsav7_cp_reginfo);
4547 define_arm_cp_regs(cpu, pmsav5_cp_reginfo);
4550 define_arm_cp_regs(cpu, vmsa_pmsa_cp_reginfo);
4551 define_arm_cp_regs(cpu, vmsa_cp_reginfo);
4553 if (arm_feature(env, ARM_FEATURE_THUMB2EE)) {
4554 define_arm_cp_regs(cpu, t2ee_cp_reginfo);
4556 if (arm_feature(env, ARM_FEATURE_GENERIC_TIMER)) {
4557 define_arm_cp_regs(cpu, generic_timer_cp_reginfo);
4559 if (arm_feature(env, ARM_FEATURE_VAPA)) {
4560 define_arm_cp_regs(cpu, vapa_cp_reginfo);
4562 if (arm_feature(env, ARM_FEATURE_CACHE_TEST_CLEAN)) {
4563 define_arm_cp_regs(cpu, cache_test_clean_cp_reginfo);
4565 if (arm_feature(env, ARM_FEATURE_CACHE_DIRTY_REG)) {
4566 define_arm_cp_regs(cpu, cache_dirty_status_cp_reginfo);
4568 if (arm_feature(env, ARM_FEATURE_CACHE_BLOCK_OPS)) {
4569 define_arm_cp_regs(cpu, cache_block_ops_cp_reginfo);
4571 if (arm_feature(env, ARM_FEATURE_OMAPCP)) {
4572 define_arm_cp_regs(cpu, omap_cp_reginfo);
4574 if (arm_feature(env, ARM_FEATURE_STRONGARM)) {
4575 define_arm_cp_regs(cpu, strongarm_cp_reginfo);
4577 if (arm_feature(env, ARM_FEATURE_XSCALE)) {
4578 define_arm_cp_regs(cpu, xscale_cp_reginfo);
4580 if (arm_feature(env, ARM_FEATURE_DUMMY_C15_REGS)) {
4581 define_arm_cp_regs(cpu, dummy_c15_cp_reginfo);
4583 if (arm_feature(env, ARM_FEATURE_LPAE)) {
4584 define_arm_cp_regs(cpu, lpae_cp_reginfo);
4586 /* Slightly awkwardly, the OMAP and StrongARM cores need all of
4587 * cp15 crn=0 to be writes-ignored, whereas for other cores they should
4588 * be read-only (ie write causes UNDEF exception).
4591 ARMCPRegInfo id_pre_v8_midr_cp_reginfo[] = {
4592 /* Pre-v8 MIDR space.
4593 * Note that the MIDR isn't a simple constant register because
4594 * of the TI925 behaviour where writes to another register can
4595 * cause the MIDR value to change.
4597 * Unimplemented registers in the c15 0 0 0 space default to
4598 * MIDR. Define MIDR first as this entire space, then CTR, TCMTR
4599 * and friends override accordingly.
4602 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = CP_ANY,
4603 .access = PL1_R, .resetvalue = cpu->midr,
4604 .writefn = arm_cp_write_ignore, .raw_writefn = raw_write,
4605 .readfn = midr_read,
4606 .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid),
4607 .type = ARM_CP_OVERRIDE },
4608 /* crn = 0 op1 = 0 crm = 3..7 : currently unassigned; we RAZ. */
4610 .cp = 15, .crn = 0, .crm = 3, .opc1 = 0, .opc2 = CP_ANY,
4611 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
4613 .cp = 15, .crn = 0, .crm = 4, .opc1 = 0, .opc2 = CP_ANY,
4614 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
4616 .cp = 15, .crn = 0, .crm = 5, .opc1 = 0, .opc2 = CP_ANY,
4617 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
4619 .cp = 15, .crn = 0, .crm = 6, .opc1 = 0, .opc2 = CP_ANY,
4620 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
4622 .cp = 15, .crn = 0, .crm = 7, .opc1 = 0, .opc2 = CP_ANY,
4623 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
4626 ARMCPRegInfo id_v8_midr_cp_reginfo[] = {
4627 { .name = "MIDR_EL1", .state = ARM_CP_STATE_BOTH,
4628 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 0,
4629 .access = PL1_R, .type = ARM_CP_NO_RAW, .resetvalue = cpu->midr,
4630 .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid),
4631 .readfn = midr_read },
4632 /* crn = 0 op1 = 0 crm = 0 op2 = 4,7 : AArch32 aliases of MIDR */
4633 { .name = "MIDR", .type = ARM_CP_ALIAS | ARM_CP_CONST,
4634 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 4,
4635 .access = PL1_R, .resetvalue = cpu->midr },
4636 { .name = "MIDR", .type = ARM_CP_ALIAS | ARM_CP_CONST,
4637 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 7,
4638 .access = PL1_R, .resetvalue = cpu->midr },
4639 { .name = "REVIDR_EL1", .state = ARM_CP_STATE_BOTH,
4640 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 6,
4641 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->revidr },
4644 ARMCPRegInfo id_cp_reginfo[] = {
4645 /* These are common to v8 and pre-v8 */
4647 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 1,
4648 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->ctr },
4649 { .name = "CTR_EL0", .state = ARM_CP_STATE_AA64,
4650 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 0, .crm = 0,
4651 .access = PL0_R, .accessfn = ctr_el0_access,
4652 .type = ARM_CP_CONST, .resetvalue = cpu->ctr },
4653 /* TCMTR and TLBTR exist in v8 but have no 64-bit versions */
4655 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 2,
4656 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
4659 /* TLBTR is specific to VMSA */
4660 ARMCPRegInfo id_tlbtr_reginfo = {
4662 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 3,
4663 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0,
4665 /* MPUIR is specific to PMSA V6+ */
4666 ARMCPRegInfo id_mpuir_reginfo = {
4668 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 4,
4669 .access = PL1_R, .type = ARM_CP_CONST,
4670 .resetvalue = cpu->pmsav7_dregion << 8
4672 ARMCPRegInfo crn0_wi_reginfo = {
4673 .name = "CRN0_WI", .cp = 15, .crn = 0, .crm = CP_ANY,
4674 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
4675 .type = ARM_CP_NOP | ARM_CP_OVERRIDE
4677 if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
4678 arm_feature(env, ARM_FEATURE_STRONGARM)) {
4680 /* Register the blanket "writes ignored" value first to cover the
4681 * whole space. Then update the specific ID registers to allow write
4682 * access, so that they ignore writes rather than causing them to
4685 define_one_arm_cp_reg(cpu, &crn0_wi_reginfo);
4686 for (r = id_pre_v8_midr_cp_reginfo;
4687 r->type != ARM_CP_SENTINEL; r++) {
4690 for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
4693 id_tlbtr_reginfo.access = PL1_RW;
4694 id_tlbtr_reginfo.access = PL1_RW;
4696 if (arm_feature(env, ARM_FEATURE_V8)) {
4697 define_arm_cp_regs(cpu, id_v8_midr_cp_reginfo);
4699 define_arm_cp_regs(cpu, id_pre_v8_midr_cp_reginfo);
4701 define_arm_cp_regs(cpu, id_cp_reginfo);
4702 if (!arm_feature(env, ARM_FEATURE_MPU)) {
4703 define_one_arm_cp_reg(cpu, &id_tlbtr_reginfo);
4704 } else if (arm_feature(env, ARM_FEATURE_V7)) {
4705 define_one_arm_cp_reg(cpu, &id_mpuir_reginfo);
4709 if (arm_feature(env, ARM_FEATURE_MPIDR)) {
4710 define_arm_cp_regs(cpu, mpidr_cp_reginfo);
4713 if (arm_feature(env, ARM_FEATURE_AUXCR)) {
4714 ARMCPRegInfo auxcr_reginfo[] = {
4715 { .name = "ACTLR_EL1", .state = ARM_CP_STATE_BOTH,
4716 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 1,
4717 .access = PL1_RW, .type = ARM_CP_CONST,
4718 .resetvalue = cpu->reset_auxcr },
4719 { .name = "ACTLR_EL2", .state = ARM_CP_STATE_BOTH,
4720 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 1,
4721 .access = PL2_RW, .type = ARM_CP_CONST,
4723 { .name = "ACTLR_EL3", .state = ARM_CP_STATE_AA64,
4724 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 1,
4725 .access = PL3_RW, .type = ARM_CP_CONST,
4729 define_arm_cp_regs(cpu, auxcr_reginfo);
4732 if (arm_feature(env, ARM_FEATURE_CBAR)) {
4733 if (arm_feature(env, ARM_FEATURE_AARCH64)) {
4734 /* 32 bit view is [31:18] 0...0 [43:32]. */
4735 uint32_t cbar32 = (extract64(cpu->reset_cbar, 18, 14) << 18)
4736 | extract64(cpu->reset_cbar, 32, 12);
4737 ARMCPRegInfo cbar_reginfo[] = {
4739 .type = ARM_CP_CONST,
4740 .cp = 15, .crn = 15, .crm = 0, .opc1 = 4, .opc2 = 0,
4741 .access = PL1_R, .resetvalue = cpu->reset_cbar },
4742 { .name = "CBAR_EL1", .state = ARM_CP_STATE_AA64,
4743 .type = ARM_CP_CONST,
4744 .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 0,
4745 .access = PL1_R, .resetvalue = cbar32 },
4748 /* We don't implement a r/w 64 bit CBAR currently */
4749 assert(arm_feature(env, ARM_FEATURE_CBAR_RO));
4750 define_arm_cp_regs(cpu, cbar_reginfo);
4752 ARMCPRegInfo cbar = {
4754 .cp = 15, .crn = 15, .crm = 0, .opc1 = 4, .opc2 = 0,
4755 .access = PL1_R|PL3_W, .resetvalue = cpu->reset_cbar,
4756 .fieldoffset = offsetof(CPUARMState,
4757 cp15.c15_config_base_address)
4759 if (arm_feature(env, ARM_FEATURE_CBAR_RO)) {
4760 cbar.access = PL1_R;
4761 cbar.fieldoffset = 0;
4762 cbar.type = ARM_CP_CONST;
4764 define_one_arm_cp_reg(cpu, &cbar);
4768 /* Generic registers whose values depend on the implementation */
4770 ARMCPRegInfo sctlr = {
4771 .name = "SCTLR", .state = ARM_CP_STATE_BOTH,
4772 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,
4774 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.sctlr_s),
4775 offsetof(CPUARMState, cp15.sctlr_ns) },
4776 .writefn = sctlr_write, .resetvalue = cpu->reset_sctlr,
4777 .raw_writefn = raw_write,
4779 if (arm_feature(env, ARM_FEATURE_XSCALE)) {
4780 /* Normally we would always end the TB on an SCTLR write, but Linux
4781 * arch/arm/mach-pxa/sleep.S expects two instructions following
4782 * an MMU enable to execute from cache. Imitate this behaviour.
4784 sctlr.type |= ARM_CP_SUPPRESS_TB_END;
4786 define_one_arm_cp_reg(cpu, &sctlr);
4790 ARMCPU *cpu_arm_init(const char *cpu_model)
4792 return ARM_CPU(cpu_generic_init(TYPE_ARM_CPU, cpu_model));
4795 void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
4797 CPUState *cs = CPU(cpu);
4798 CPUARMState *env = &cpu->env;
4800 if (arm_feature(env, ARM_FEATURE_AARCH64)) {
4801 gdb_register_coprocessor(cs, aarch64_fpu_gdb_get_reg,
4802 aarch64_fpu_gdb_set_reg,
4803 34, "aarch64-fpu.xml", 0);
4804 } else if (arm_feature(env, ARM_FEATURE_NEON)) {
4805 gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
4806 51, "arm-neon.xml", 0);
4807 } else if (arm_feature(env, ARM_FEATURE_VFP3)) {
4808 gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
4809 35, "arm-vfp3.xml", 0);
4810 } else if (arm_feature(env, ARM_FEATURE_VFP)) {
4811 gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
4812 19, "arm-vfp.xml", 0);
4816 /* Sort alphabetically by type name, except for "any". */
4817 static gint arm_cpu_list_compare(gconstpointer a, gconstpointer b)
4819 ObjectClass *class_a = (ObjectClass *)a;
4820 ObjectClass *class_b = (ObjectClass *)b;
4821 const char *name_a, *name_b;
4823 name_a = object_class_get_name(class_a);
4824 name_b = object_class_get_name(class_b);
4825 if (strcmp(name_a, "any-" TYPE_ARM_CPU) == 0) {
4827 } else if (strcmp(name_b, "any-" TYPE_ARM_CPU) == 0) {
4830 return strcmp(name_a, name_b);
4834 static void arm_cpu_list_entry(gpointer data, gpointer user_data)
4836 ObjectClass *oc = data;
4837 CPUListState *s = user_data;
4838 const char *typename;
4841 typename = object_class_get_name(oc);
4842 name = g_strndup(typename, strlen(typename) - strlen("-" TYPE_ARM_CPU));
4843 (*s->cpu_fprintf)(s->file, " %s\n",
4848 void arm_cpu_list(FILE *f, fprintf_function cpu_fprintf)
4852 .cpu_fprintf = cpu_fprintf,
4856 list = object_class_get_list(TYPE_ARM_CPU, false);
4857 list = g_slist_sort(list, arm_cpu_list_compare);
4858 (*cpu_fprintf)(f, "Available CPUs:\n");
4859 g_slist_foreach(list, arm_cpu_list_entry, &s);
4862 /* The 'host' CPU type is dynamically registered only if KVM is
4863 * enabled, so we have to special-case it here:
4865 (*cpu_fprintf)(f, " host (only available in KVM mode)\n");
4869 static void arm_cpu_add_definition(gpointer data, gpointer user_data)
4871 ObjectClass *oc = data;
4872 CpuDefinitionInfoList **cpu_list = user_data;
4873 CpuDefinitionInfoList *entry;
4874 CpuDefinitionInfo *info;
4875 const char *typename;
4877 typename = object_class_get_name(oc);
4878 info = g_malloc0(sizeof(*info));
4879 info->name = g_strndup(typename,
4880 strlen(typename) - strlen("-" TYPE_ARM_CPU));
4882 entry = g_malloc0(sizeof(*entry));
4883 entry->value = info;
4884 entry->next = *cpu_list;
4888 CpuDefinitionInfoList *arch_query_cpu_definitions(Error **errp)
4890 CpuDefinitionInfoList *cpu_list = NULL;
4893 list = object_class_get_list(TYPE_ARM_CPU, false);
4894 g_slist_foreach(list, arm_cpu_add_definition, &cpu_list);
4900 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
4901 void *opaque, int state, int secstate,
4902 int crm, int opc1, int opc2)
4904 /* Private utility function for define_one_arm_cp_reg_with_opaque():
4905 * add a single reginfo struct to the hash table.
4907 uint32_t *key = g_new(uint32_t, 1);
4908 ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
4909 int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
4910 int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
4912 /* Reset the secure state to the specific incoming state. This is
4913 * necessary as the register may have been defined with both states.
4915 r2->secure = secstate;
4917 if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
4918 /* Register is banked (using both entries in array).
4919 * Overwriting fieldoffset as the array is only used to define
4920 * banked registers but later only fieldoffset is used.
4922 r2->fieldoffset = r->bank_fieldoffsets[ns];
4925 if (state == ARM_CP_STATE_AA32) {
4926 if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
4927 /* If the register is banked then we don't need to migrate or
4928 * reset the 32-bit instance in certain cases:
4930 * 1) If the register has both 32-bit and 64-bit instances then we
4931 * can count on the 64-bit instance taking care of the
4933 * 2) If ARMv8 is enabled then we can count on a 64-bit version
4934 * taking care of the secure bank. This requires that separate
4935 * 32 and 64-bit definitions are provided.
4937 if ((r->state == ARM_CP_STATE_BOTH && ns) ||
4938 (arm_feature(&cpu->env, ARM_FEATURE_V8) && !ns)) {
4939 r2->type |= ARM_CP_ALIAS;
4941 } else if ((secstate != r->secure) && !ns) {
4942 /* The register is not banked so we only want to allow migration of
4943 * the non-secure instance.
4945 r2->type |= ARM_CP_ALIAS;
4948 if (r->state == ARM_CP_STATE_BOTH) {
4949 /* We assume it is a cp15 register if the .cp field is left unset.
4955 #ifdef HOST_WORDS_BIGENDIAN
4956 if (r2->fieldoffset) {
4957 r2->fieldoffset += sizeof(uint32_t);
4962 if (state == ARM_CP_STATE_AA64) {
4963 /* To allow abbreviation of ARMCPRegInfo
4964 * definitions, we treat cp == 0 as equivalent to
4965 * the value for "standard guest-visible sysreg".
4966 * STATE_BOTH definitions are also always "standard
4967 * sysreg" in their AArch64 view (the .cp value may
4968 * be non-zero for the benefit of the AArch32 view).
4970 if (r->cp == 0 || r->state == ARM_CP_STATE_BOTH) {
4971 r2->cp = CP_REG_ARM64_SYSREG_CP;
4973 *key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
4974 r2->opc0, opc1, opc2);
4976 *key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
4979 r2->opaque = opaque;
4981 /* reginfo passed to helpers is correct for the actual access,
4982 * and is never ARM_CP_STATE_BOTH:
4985 /* Make sure reginfo passed to helpers for wildcarded regs
4986 * has the correct crm/opc1/opc2 for this reg, not CP_ANY:
4991 /* By convention, for wildcarded registers only the first
4992 * entry is used for migration; the others are marked as
4993 * ALIAS so we don't try to transfer the register
4994 * multiple times. Special registers (ie NOP/WFI) are
4995 * never migratable and not even raw-accessible.
4997 if ((r->type & ARM_CP_SPECIAL)) {
4998 r2->type |= ARM_CP_NO_RAW;
5000 if (((r->crm == CP_ANY) && crm != 0) ||
5001 ((r->opc1 == CP_ANY) && opc1 != 0) ||
5002 ((r->opc2 == CP_ANY) && opc2 != 0)) {
5003 r2->type |= ARM_CP_ALIAS;
5006 /* Check that raw accesses are either forbidden or handled. Note that
5007 * we can't assert this earlier because the setup of fieldoffset for
5008 * banked registers has to be done first.
5010 if (!(r2->type & ARM_CP_NO_RAW)) {
5011 assert(!raw_accessors_invalid(r2));
5014 /* Overriding of an existing definition must be explicitly
5017 if (!(r->type & ARM_CP_OVERRIDE)) {
5018 ARMCPRegInfo *oldreg;
5019 oldreg = g_hash_table_lookup(cpu->cp_regs, key);
5020 if (oldreg && !(oldreg->type & ARM_CP_OVERRIDE)) {
5021 fprintf(stderr, "Register redefined: cp=%d %d bit "
5022 "crn=%d crm=%d opc1=%d opc2=%d, "
5023 "was %s, now %s\n", r2->cp, 32 + 32 * is64,
5024 r2->crn, r2->crm, r2->opc1, r2->opc2,
5025 oldreg->name, r2->name);
5026 g_assert_not_reached();
5029 g_hash_table_insert(cpu->cp_regs, key, r2);
5033 void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
5034 const ARMCPRegInfo *r, void *opaque)
5036 /* Define implementations of coprocessor registers.
5037 * We store these in a hashtable because typically
5038 * there are less than 150 registers in a space which
5039 * is 16*16*16*8*8 = 262144 in size.
5040 * Wildcarding is supported for the crm, opc1 and opc2 fields.
5041 * If a register is defined twice then the second definition is
5042 * used, so this can be used to define some generic registers and
5043 * then override them with implementation specific variations.
5044 * At least one of the original and the second definition should
5045 * include ARM_CP_OVERRIDE in its type bits -- this is just a guard
5046 * against accidental use.
5048 * The state field defines whether the register is to be
5049 * visible in the AArch32 or AArch64 execution state. If the
5050 * state is set to ARM_CP_STATE_BOTH then we synthesise a
5051 * reginfo structure for the AArch32 view, which sees the lower
5052 * 32 bits of the 64 bit register.
5054 * Only registers visible in AArch64 may set r->opc0; opc0 cannot
5055 * be wildcarded. AArch64 registers are always considered to be 64
5056 * bits; the ARM_CP_64BIT* flag applies only to the AArch32 view of
5057 * the register, if any.
5059 int crm, opc1, opc2, state;
5060 int crmmin = (r->crm == CP_ANY) ? 0 : r->crm;
5061 int crmmax = (r->crm == CP_ANY) ? 15 : r->crm;
5062 int opc1min = (r->opc1 == CP_ANY) ? 0 : r->opc1;
5063 int opc1max = (r->opc1 == CP_ANY) ? 7 : r->opc1;
5064 int opc2min = (r->opc2 == CP_ANY) ? 0 : r->opc2;
5065 int opc2max = (r->opc2 == CP_ANY) ? 7 : r->opc2;
5066 /* 64 bit registers have only CRm and Opc1 fields */
5067 assert(!((r->type & ARM_CP_64BIT) && (r->opc2 || r->crn)));
5068 /* op0 only exists in the AArch64 encodings */
5069 assert((r->state != ARM_CP_STATE_AA32) || (r->opc0 == 0));
5070 /* AArch64 regs are all 64 bit so ARM_CP_64BIT is meaningless */
5071 assert((r->state != ARM_CP_STATE_AA64) || !(r->type & ARM_CP_64BIT));
5072 /* The AArch64 pseudocode CheckSystemAccess() specifies that op1
5073 * encodes a minimum access level for the register. We roll this
5074 * runtime check into our general permission check code, so check
5075 * here that the reginfo's specified permissions are strict enough
5076 * to encompass the generic architectural permission check.
5078 if (r->state != ARM_CP_STATE_AA32) {
5081 case 0: case 1: case 2:
5094 /* unallocated encoding, so not possible */
5102 /* min_EL EL1, secure mode only (we don't check the latter) */
5106 /* broken reginfo with out-of-range opc1 */
5110 /* assert our permissions are not too lax (stricter is fine) */
5111 assert((r->access & ~mask) == 0);
5114 /* Check that the register definition has enough info to handle
5115 * reads and writes if they are permitted.
5117 if (!(r->type & (ARM_CP_SPECIAL|ARM_CP_CONST))) {
5118 if (r->access & PL3_R) {
5119 assert((r->fieldoffset ||
5120 (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
5123 if (r->access & PL3_W) {
5124 assert((r->fieldoffset ||
5125 (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
5129 /* Bad type field probably means missing sentinel at end of reg list */
5130 assert(cptype_valid(r->type));
5131 for (crm = crmmin; crm <= crmmax; crm++) {
5132 for (opc1 = opc1min; opc1 <= opc1max; opc1++) {
5133 for (opc2 = opc2min; opc2 <= opc2max; opc2++) {
5134 for (state = ARM_CP_STATE_AA32;
5135 state <= ARM_CP_STATE_AA64; state++) {
5136 if (r->state != state && r->state != ARM_CP_STATE_BOTH) {
5139 if (state == ARM_CP_STATE_AA32) {
5140 /* Under AArch32 CP registers can be common
5141 * (same for secure and non-secure world) or banked.
5143 switch (r->secure) {
5144 case ARM_CP_SECSTATE_S:
5145 case ARM_CP_SECSTATE_NS:
5146 add_cpreg_to_hashtable(cpu, r, opaque, state,
5147 r->secure, crm, opc1, opc2);
5150 add_cpreg_to_hashtable(cpu, r, opaque, state,
5153 add_cpreg_to_hashtable(cpu, r, opaque, state,
5159 /* AArch64 registers get mapped to non-secure instance
5161 add_cpreg_to_hashtable(cpu, r, opaque, state,
5171 void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
5172 const ARMCPRegInfo *regs, void *opaque)
5174 /* Define a whole list of registers */
5175 const ARMCPRegInfo *r;
5176 for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
5177 define_one_arm_cp_reg_with_opaque(cpu, r, opaque);
5181 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
5183 return g_hash_table_lookup(cpregs, &encoded_cp);
5186 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
5189 /* Helper coprocessor write function for write-ignore registers */
5192 uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri)
5194 /* Helper coprocessor write function for read-as-zero registers */
5198 void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque)
5200 /* Helper coprocessor reset function for do-nothing-on-reset registers */
5203 static int bad_mode_switch(CPUARMState *env, int mode)
5205 /* Return true if it is not valid for us to switch to
5206 * this CPU mode (ie all the UNPREDICTABLE cases in
5207 * the ARM ARM CPSRWriteByInstr pseudocode).
5210 case ARM_CPU_MODE_USR:
5211 case ARM_CPU_MODE_SYS:
5212 case ARM_CPU_MODE_SVC:
5213 case ARM_CPU_MODE_ABT:
5214 case ARM_CPU_MODE_UND:
5215 case ARM_CPU_MODE_IRQ:
5216 case ARM_CPU_MODE_FIQ:
5217 /* Note that we don't implement the IMPDEF NSACR.RFR which in v7
5218 * allows FIQ mode to be Secure-only. (In v8 this doesn't exist.)
5221 case ARM_CPU_MODE_HYP:
5222 return !arm_feature(env, ARM_FEATURE_EL2)
5223 || arm_current_el(env) < 2 || arm_is_secure(env);
5224 case ARM_CPU_MODE_MON:
5225 return arm_current_el(env) < 3;
5231 uint32_t cpsr_read(CPUARMState *env)
5234 ZF = (env->ZF == 0);
5235 return env->uncached_cpsr | (env->NF & 0x80000000) | (ZF << 30) |
5236 (env->CF << 29) | ((env->VF & 0x80000000) >> 3) | (env->QF << 27)
5237 | (env->thumb << 5) | ((env->condexec_bits & 3) << 25)
5238 | ((env->condexec_bits & 0xfc) << 8)
5239 | (env->GE << 16) | (env->daif & CPSR_AIF);
5242 void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask,
5243 CPSRWriteType write_type)
5245 uint32_t changed_daif;
5247 if (mask & CPSR_NZCV) {
5248 env->ZF = (~val) & CPSR_Z;
5250 env->CF = (val >> 29) & 1;
5251 env->VF = (val << 3) & 0x80000000;
5254 env->QF = ((val & CPSR_Q) != 0);
5256 env->thumb = ((val & CPSR_T) != 0);
5257 if (mask & CPSR_IT_0_1) {
5258 env->condexec_bits &= ~3;
5259 env->condexec_bits |= (val >> 25) & 3;
5261 if (mask & CPSR_IT_2_7) {
5262 env->condexec_bits &= 3;
5263 env->condexec_bits |= (val >> 8) & 0xfc;
5265 if (mask & CPSR_GE) {
5266 env->GE = (val >> 16) & 0xf;
5269 /* In a V7 implementation that includes the security extensions but does
5270 * not include Virtualization Extensions the SCR.FW and SCR.AW bits control
5271 * whether non-secure software is allowed to change the CPSR_F and CPSR_A
5272 * bits respectively.
5274 * In a V8 implementation, it is permitted for privileged software to
5275 * change the CPSR A/F bits regardless of the SCR.AW/FW bits.
5277 if (write_type != CPSRWriteRaw && !arm_feature(env, ARM_FEATURE_V8) &&
5278 arm_feature(env, ARM_FEATURE_EL3) &&
5279 !arm_feature(env, ARM_FEATURE_EL2) &&
5280 !arm_is_secure(env)) {
5282 changed_daif = (env->daif ^ val) & mask;
5284 if (changed_daif & CPSR_A) {
5285 /* Check to see if we are allowed to change the masking of async
5286 * abort exceptions from a non-secure state.
5288 if (!(env->cp15.scr_el3 & SCR_AW)) {
5289 qemu_log_mask(LOG_GUEST_ERROR,
5290 "Ignoring attempt to switch CPSR_A flag from "
5291 "non-secure world with SCR.AW bit clear\n");
5296 if (changed_daif & CPSR_F) {
5297 /* Check to see if we are allowed to change the masking of FIQ
5298 * exceptions from a non-secure state.
5300 if (!(env->cp15.scr_el3 & SCR_FW)) {
5301 qemu_log_mask(LOG_GUEST_ERROR,
5302 "Ignoring attempt to switch CPSR_F flag from "
5303 "non-secure world with SCR.FW bit clear\n");
5307 /* Check whether non-maskable FIQ (NMFI) support is enabled.
5308 * If this bit is set software is not allowed to mask
5309 * FIQs, but is allowed to set CPSR_F to 0.
5311 if ((A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_NMFI) &&
5313 qemu_log_mask(LOG_GUEST_ERROR,
5314 "Ignoring attempt to enable CPSR_F flag "
5315 "(non-maskable FIQ [NMFI] support enabled)\n");
5321 env->daif &= ~(CPSR_AIF & mask);
5322 env->daif |= val & CPSR_AIF & mask;
5324 if (write_type != CPSRWriteRaw &&
5325 (env->uncached_cpsr & CPSR_M) != CPSR_USER &&
5326 ((env->uncached_cpsr ^ val) & mask & CPSR_M)) {
5327 if (bad_mode_switch(env, val & CPSR_M)) {
5328 /* Attempt to switch to an invalid mode: this is UNPREDICTABLE in
5329 * v7, and has defined behaviour in v8:
5330 * + leave CPSR.M untouched
5331 * + allow changes to the other CPSR fields
5333 * For user changes via the GDB stub, we don't set PSTATE.IL,
5334 * as this would be unnecessarily harsh for a user error.
5337 if (write_type != CPSRWriteByGDBStub &&
5338 arm_feature(env, ARM_FEATURE_V8)) {
5343 switch_mode(env, val & CPSR_M);
5346 mask &= ~CACHED_CPSR_BITS;
5347 env->uncached_cpsr = (env->uncached_cpsr & ~mask) | (val & mask);
5350 /* Sign/zero extend */
5351 uint32_t HELPER(sxtb16)(uint32_t x)
5354 res = (uint16_t)(int8_t)x;
5355 res |= (uint32_t)(int8_t)(x >> 16) << 16;
5359 uint32_t HELPER(uxtb16)(uint32_t x)
5362 res = (uint16_t)(uint8_t)x;
5363 res |= (uint32_t)(uint8_t)(x >> 16) << 16;
5367 uint32_t HELPER(clz)(uint32_t x)
5372 int32_t HELPER(sdiv)(int32_t num, int32_t den)
5376 if (num == INT_MIN && den == -1)
5381 uint32_t HELPER(udiv)(uint32_t num, uint32_t den)
5388 uint32_t HELPER(rbit)(uint32_t x)
5393 #if defined(CONFIG_USER_ONLY)
5395 /* These should probably raise undefined insn exceptions. */
5396 void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
5398 ARMCPU *cpu = arm_env_get_cpu(env);
5400 cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);
5403 uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
5405 ARMCPU *cpu = arm_env_get_cpu(env);
5407 cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);
5411 void switch_mode(CPUARMState *env, int mode)
5413 ARMCPU *cpu = arm_env_get_cpu(env);
5415 if (mode != ARM_CPU_MODE_USR) {
5416 cpu_abort(CPU(cpu), "Tried to switch out of user mode\n");
5420 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
5421 uint32_t cur_el, bool secure)
5426 void aarch64_sync_64_to_32(CPUARMState *env)
5428 g_assert_not_reached();
5433 void switch_mode(CPUARMState *env, int mode)
5438 old_mode = env->uncached_cpsr & CPSR_M;
5439 if (mode == old_mode)
5442 if (old_mode == ARM_CPU_MODE_FIQ) {
5443 memcpy (env->fiq_regs, env->regs + 8, 5 * sizeof(uint32_t));
5444 memcpy (env->regs + 8, env->usr_regs, 5 * sizeof(uint32_t));
5445 } else if (mode == ARM_CPU_MODE_FIQ) {
5446 memcpy (env->usr_regs, env->regs + 8, 5 * sizeof(uint32_t));
5447 memcpy (env->regs + 8, env->fiq_regs, 5 * sizeof(uint32_t));
5450 i = bank_number(old_mode);
5451 env->banked_r13[i] = env->regs[13];
5452 env->banked_r14[i] = env->regs[14];
5453 env->banked_spsr[i] = env->spsr;
5455 i = bank_number(mode);
5456 env->regs[13] = env->banked_r13[i];
5457 env->regs[14] = env->banked_r14[i];
5458 env->spsr = env->banked_spsr[i];
5461 /* Physical Interrupt Target EL Lookup Table
5463 * [ From ARM ARM section G1.13.4 (Table G1-15) ]
5465 * The below multi-dimensional table is used for looking up the target
5466 * exception level given numerous condition criteria. Specifically, the
5467 * target EL is based on SCR and HCR routing controls as well as the
5468 * currently executing EL and secure state.
5471 * target_el_table[2][2][2][2][2][4]
5472 * | | | | | +--- Current EL
5473 * | | | | +------ Non-secure(0)/Secure(1)
5474 * | | | +--------- HCR mask override
5475 * | | +------------ SCR exec state control
5476 * | +--------------- SCR mask override
5477 * +------------------ 32-bit(0)/64-bit(1) EL3
5479 * The table values are as such:
5483 * The ARM ARM target EL table includes entries indicating that an "exception
5484 * is not taken". The two cases where this is applicable are:
5485 * 1) An exception is taken from EL3 but the SCR does not have the exception
5487 * 2) An exception is taken from EL2 but the HCR does not have the exception
5489 * In these two cases, the below table contain a target of EL1. This value is
5490 * returned as it is expected that the consumer of the table data will check
5491 * for "target EL >= current EL" to ensure the exception is not taken.
5495 * BIT IRQ IMO Non-secure Secure
5496 * EL3 FIQ RW FMO EL0 EL1 EL2 EL3 EL0 EL1 EL2 EL3
5498 static const int8_t target_el_table[2][2][2][2][2][4] = {
5499 {{{{/* 0 0 0 0 */{ 1, 1, 2, -1 },{ 3, -1, -1, 3 },},
5500 {/* 0 0 0 1 */{ 2, 2, 2, -1 },{ 3, -1, -1, 3 },},},
5501 {{/* 0 0 1 0 */{ 1, 1, 2, -1 },{ 3, -1, -1, 3 },},
5502 {/* 0 0 1 1 */{ 2, 2, 2, -1 },{ 3, -1, -1, 3 },},},},
5503 {{{/* 0 1 0 0 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},
5504 {/* 0 1 0 1 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},},
5505 {{/* 0 1 1 0 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},
5506 {/* 0 1 1 1 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},},},},
5507 {{{{/* 1 0 0 0 */{ 1, 1, 2, -1 },{ 1, 1, -1, 1 },},
5508 {/* 1 0 0 1 */{ 2, 2, 2, -1 },{ 1, 1, -1, 1 },},},
5509 {{/* 1 0 1 0 */{ 1, 1, 1, -1 },{ 1, 1, -1, 1 },},
5510 {/* 1 0 1 1 */{ 2, 2, 2, -1 },{ 1, 1, -1, 1 },},},},
5511 {{{/* 1 1 0 0 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},
5512 {/* 1 1 0 1 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},},
5513 {{/* 1 1 1 0 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},
5514 {/* 1 1 1 1 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},},},},
5518 * Determine the target EL for physical exceptions
5520 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
5521 uint32_t cur_el, bool secure)
5523 CPUARMState *env = cs->env_ptr;
5528 /* Is the highest EL AArch64? */
5529 int is64 = arm_feature(env, ARM_FEATURE_AARCH64);
5531 if (arm_feature(env, ARM_FEATURE_EL3)) {
5532 rw = ((env->cp15.scr_el3 & SCR_RW) == SCR_RW);
5534 /* Either EL2 is the highest EL (and so the EL2 register width
5535 * is given by is64); or there is no EL2 or EL3, in which case
5536 * the value of 'rw' does not affect the table lookup anyway.
5543 scr = ((env->cp15.scr_el3 & SCR_IRQ) == SCR_IRQ);
5544 hcr = ((env->cp15.hcr_el2 & HCR_IMO) == HCR_IMO);
5547 scr = ((env->cp15.scr_el3 & SCR_FIQ) == SCR_FIQ);
5548 hcr = ((env->cp15.hcr_el2 & HCR_FMO) == HCR_FMO);
5551 scr = ((env->cp15.scr_el3 & SCR_EA) == SCR_EA);
5552 hcr = ((env->cp15.hcr_el2 & HCR_AMO) == HCR_AMO);
5556 /* If HCR.TGE is set then HCR is treated as being 1 */
5557 hcr |= ((env->cp15.hcr_el2 & HCR_TGE) == HCR_TGE);
5559 /* Perform a table-lookup for the target EL given the current state */
5560 target_el = target_el_table[is64][scr][rw][hcr][secure][cur_el];
5562 assert(target_el > 0);
5567 static void v7m_push(CPUARMState *env, uint32_t val)
5569 CPUState *cs = CPU(arm_env_get_cpu(env));
5572 stl_phys(cs->as, env->regs[13], val);
5575 static uint32_t v7m_pop(CPUARMState *env)
5577 CPUState *cs = CPU(arm_env_get_cpu(env));
5580 val = ldl_phys(cs->as, env->regs[13]);
5585 /* Switch to V7M main or process stack pointer. */
5586 static void switch_v7m_sp(CPUARMState *env, int process)
5589 if (env->v7m.current_sp != process) {
5590 tmp = env->v7m.other_sp;
5591 env->v7m.other_sp = env->regs[13];
5592 env->regs[13] = tmp;
5593 env->v7m.current_sp = process;
5597 static void do_v7m_exception_exit(CPUARMState *env)
5602 type = env->regs[15];
5603 if (env->v7m.exception != 0)
5604 armv7m_nvic_complete_irq(env->nvic, env->v7m.exception);
5606 /* Switch to the target stack. */
5607 switch_v7m_sp(env, (type & 4) != 0);
5608 /* Pop registers. */
5609 env->regs[0] = v7m_pop(env);
5610 env->regs[1] = v7m_pop(env);
5611 env->regs[2] = v7m_pop(env);
5612 env->regs[3] = v7m_pop(env);
5613 env->regs[12] = v7m_pop(env);
5614 env->regs[14] = v7m_pop(env);
5615 env->regs[15] = v7m_pop(env);
5616 if (env->regs[15] & 1) {
5617 qemu_log_mask(LOG_GUEST_ERROR,
5618 "M profile return from interrupt with misaligned "
5619 "PC is UNPREDICTABLE\n");
5620 /* Actual hardware seems to ignore the lsbit, and there are several
5621 * RTOSes out there which incorrectly assume the r15 in the stack
5622 * frame should be a Thumb-style "lsbit indicates ARM/Thumb" value.
5624 env->regs[15] &= ~1U;
5626 xpsr = v7m_pop(env);
5627 xpsr_write(env, xpsr, 0xfffffdff);
5628 /* Undo stack alignment. */
5631 /* ??? The exception return type specifies Thread/Handler mode. However
5632 this is also implied by the xPSR value. Not sure what to do
5633 if there is a mismatch. */
5634 /* ??? Likewise for mismatches between the CONTROL register and the stack
5638 void arm_v7m_cpu_do_interrupt(CPUState *cs)
5640 ARMCPU *cpu = ARM_CPU(cs);
5641 CPUARMState *env = &cpu->env;
5642 uint32_t xpsr = xpsr_read(env);
5646 arm_log_exception(cs->exception_index);
5649 if (env->v7m.current_sp)
5651 if (env->v7m.exception == 0)
5654 /* For exceptions we just mark as pending on the NVIC, and let that
5656 /* TODO: Need to escalate if the current priority is higher than the
5657 one we're raising. */
5658 switch (cs->exception_index) {
5660 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
5663 /* The PC already points to the next instruction. */
5664 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC);
5666 case EXCP_PREFETCH_ABORT:
5667 case EXCP_DATA_ABORT:
5668 /* TODO: if we implemented the MPU registers, this is where we
5669 * should set the MMFAR, etc from exception.fsr and exception.vaddress.
5671 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM);
5674 if (semihosting_enabled()) {
5676 nr = arm_lduw_code(env, env->regs[15], env->bswap_code) & 0xff;
5679 qemu_log_mask(CPU_LOG_INT,
5680 "...handling as semihosting call 0x%x\n",
5682 env->regs[0] = do_arm_semihosting(env);
5686 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG);
5689 env->v7m.exception = armv7m_nvic_acknowledge_irq(env->nvic);
5691 case EXCP_EXCEPTION_EXIT:
5692 do_v7m_exception_exit(env);
5695 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
5696 return; /* Never happens. Keep compiler happy. */
5699 /* Align stack pointer. */
5700 /* ??? Should only do this if Configuration Control Register
5701 STACKALIGN bit is set. */
5702 if (env->regs[13] & 4) {
5706 /* Switch to the handler mode. */
5707 v7m_push(env, xpsr);
5708 v7m_push(env, env->regs[15]);
5709 v7m_push(env, env->regs[14]);
5710 v7m_push(env, env->regs[12]);
5711 v7m_push(env, env->regs[3]);
5712 v7m_push(env, env->regs[2]);
5713 v7m_push(env, env->regs[1]);
5714 v7m_push(env, env->regs[0]);
5715 switch_v7m_sp(env, 0);
5717 env->condexec_bits = 0;
5719 addr = ldl_phys(cs->as, env->v7m.vecbase + env->v7m.exception * 4);
5720 env->regs[15] = addr & 0xfffffffe;
5721 env->thumb = addr & 1;
5724 /* Function used to synchronize QEMU's AArch64 register set with AArch32
5725 * register set. This is necessary when switching between AArch32 and AArch64
5728 void aarch64_sync_32_to_64(CPUARMState *env)
5731 uint32_t mode = env->uncached_cpsr & CPSR_M;
5733 /* We can blanket copy R[0:7] to X[0:7] */
5734 for (i = 0; i < 8; i++) {
5735 env->xregs[i] = env->regs[i];
5738 /* Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
5739 * Otherwise, they come from the banked user regs.
5741 if (mode == ARM_CPU_MODE_FIQ) {
5742 for (i = 8; i < 13; i++) {
5743 env->xregs[i] = env->usr_regs[i - 8];
5746 for (i = 8; i < 13; i++) {
5747 env->xregs[i] = env->regs[i];
5751 /* Registers x13-x23 are the various mode SP and FP registers. Registers
5752 * r13 and r14 are only copied if we are in that mode, otherwise we copy
5753 * from the mode banked register.
5755 if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) {
5756 env->xregs[13] = env->regs[13];
5757 env->xregs[14] = env->regs[14];
5759 env->xregs[13] = env->banked_r13[bank_number(ARM_CPU_MODE_USR)];
5760 /* HYP is an exception in that it is copied from r14 */
5761 if (mode == ARM_CPU_MODE_HYP) {
5762 env->xregs[14] = env->regs[14];
5764 env->xregs[14] = env->banked_r14[bank_number(ARM_CPU_MODE_USR)];
5768 if (mode == ARM_CPU_MODE_HYP) {
5769 env->xregs[15] = env->regs[13];
5771 env->xregs[15] = env->banked_r13[bank_number(ARM_CPU_MODE_HYP)];
5774 if (mode == ARM_CPU_MODE_IRQ) {
5775 env->xregs[16] = env->regs[14];
5776 env->xregs[17] = env->regs[13];
5778 env->xregs[16] = env->banked_r14[bank_number(ARM_CPU_MODE_IRQ)];
5779 env->xregs[17] = env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)];
5782 if (mode == ARM_CPU_MODE_SVC) {
5783 env->xregs[18] = env->regs[14];
5784 env->xregs[19] = env->regs[13];
5786 env->xregs[18] = env->banked_r14[bank_number(ARM_CPU_MODE_SVC)];
5787 env->xregs[19] = env->banked_r13[bank_number(ARM_CPU_MODE_SVC)];
5790 if (mode == ARM_CPU_MODE_ABT) {
5791 env->xregs[20] = env->regs[14];
5792 env->xregs[21] = env->regs[13];
5794 env->xregs[20] = env->banked_r14[bank_number(ARM_CPU_MODE_ABT)];
5795 env->xregs[21] = env->banked_r13[bank_number(ARM_CPU_MODE_ABT)];
5798 if (mode == ARM_CPU_MODE_UND) {
5799 env->xregs[22] = env->regs[14];
5800 env->xregs[23] = env->regs[13];
5802 env->xregs[22] = env->banked_r14[bank_number(ARM_CPU_MODE_UND)];
5803 env->xregs[23] = env->banked_r13[bank_number(ARM_CPU_MODE_UND)];
5806 /* Registers x24-x30 are mapped to r8-r14 in FIQ mode. If we are in FIQ
5807 * mode, then we can copy from r8-r14. Otherwise, we copy from the
5808 * FIQ bank for r8-r14.
5810 if (mode == ARM_CPU_MODE_FIQ) {
5811 for (i = 24; i < 31; i++) {
5812 env->xregs[i] = env->regs[i - 16]; /* X[24:30] <- R[8:14] */
5815 for (i = 24; i < 29; i++) {
5816 env->xregs[i] = env->fiq_regs[i - 24];
5818 env->xregs[29] = env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)];
5819 env->xregs[30] = env->banked_r14[bank_number(ARM_CPU_MODE_FIQ)];
5822 env->pc = env->regs[15];
5825 /* Function used to synchronize QEMU's AArch32 register set with AArch64
5826 * register set. This is necessary when switching between AArch32 and AArch64
5829 void aarch64_sync_64_to_32(CPUARMState *env)
5832 uint32_t mode = env->uncached_cpsr & CPSR_M;
5834 /* We can blanket copy X[0:7] to R[0:7] */
5835 for (i = 0; i < 8; i++) {
5836 env->regs[i] = env->xregs[i];
5839 /* Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
5840 * Otherwise, we copy x8-x12 into the banked user regs.
5842 if (mode == ARM_CPU_MODE_FIQ) {
5843 for (i = 8; i < 13; i++) {
5844 env->usr_regs[i - 8] = env->xregs[i];
5847 for (i = 8; i < 13; i++) {
5848 env->regs[i] = env->xregs[i];
5852 /* Registers r13 & r14 depend on the current mode.
5853 * If we are in a given mode, we copy the corresponding x registers to r13
5854 * and r14. Otherwise, we copy the x register to the banked r13 and r14
5857 if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) {
5858 env->regs[13] = env->xregs[13];
5859 env->regs[14] = env->xregs[14];
5861 env->banked_r13[bank_number(ARM_CPU_MODE_USR)] = env->xregs[13];
5863 /* HYP is an exception in that it does not have its own banked r14 but
5864 * shares the USR r14
5866 if (mode == ARM_CPU_MODE_HYP) {
5867 env->regs[14] = env->xregs[14];
5869 env->banked_r14[bank_number(ARM_CPU_MODE_USR)] = env->xregs[14];
5873 if (mode == ARM_CPU_MODE_HYP) {
5874 env->regs[13] = env->xregs[15];
5876 env->banked_r13[bank_number(ARM_CPU_MODE_HYP)] = env->xregs[15];
5879 if (mode == ARM_CPU_MODE_IRQ) {
5880 env->regs[14] = env->xregs[16];
5881 env->regs[13] = env->xregs[17];
5883 env->banked_r14[bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[16];
5884 env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[17];
5887 if (mode == ARM_CPU_MODE_SVC) {
5888 env->regs[14] = env->xregs[18];
5889 env->regs[13] = env->xregs[19];
5891 env->banked_r14[bank_number(ARM_CPU_MODE_SVC)] = env->xregs[18];
5892 env->banked_r13[bank_number(ARM_CPU_MODE_SVC)] = env->xregs[19];
5895 if (mode == ARM_CPU_MODE_ABT) {
5896 env->regs[14] = env->xregs[20];
5897 env->regs[13] = env->xregs[21];
5899 env->banked_r14[bank_number(ARM_CPU_MODE_ABT)] = env->xregs[20];
5900 env->banked_r13[bank_number(ARM_CPU_MODE_ABT)] = env->xregs[21];
5903 if (mode == ARM_CPU_MODE_UND) {
5904 env->regs[14] = env->xregs[22];
5905 env->regs[13] = env->xregs[23];
5907 env->banked_r14[bank_number(ARM_CPU_MODE_UND)] = env->xregs[22];
5908 env->banked_r13[bank_number(ARM_CPU_MODE_UND)] = env->xregs[23];
5911 /* Registers x24-x30 are mapped to r8-r14 in FIQ mode. If we are in FIQ
5912 * mode, then we can copy to r8-r14. Otherwise, we copy to the
5913 * FIQ bank for r8-r14.
5915 if (mode == ARM_CPU_MODE_FIQ) {
5916 for (i = 24; i < 31; i++) {
5917 env->regs[i - 16] = env->xregs[i]; /* X[24:30] -> R[8:14] */
5920 for (i = 24; i < 29; i++) {
5921 env->fiq_regs[i - 24] = env->xregs[i];
5923 env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[29];
5924 env->banked_r14[bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[30];
5927 env->regs[15] = env->pc;
5930 static void arm_cpu_do_interrupt_aarch32(CPUState *cs)
5932 ARMCPU *cpu = ARM_CPU(cs);
5933 CPUARMState *env = &cpu->env;
5940 /* If this is a debug exception we must update the DBGDSCR.MOE bits */
5941 switch (env->exception.syndrome >> ARM_EL_EC_SHIFT) {
5943 case EC_BREAKPOINT_SAME_EL:
5947 case EC_WATCHPOINT_SAME_EL:
5953 case EC_VECTORCATCH:
5962 env->cp15.mdscr_el1 = deposit64(env->cp15.mdscr_el1, 2, 4, moe);
5965 /* TODO: Vectored interrupt controller. */
5966 switch (cs->exception_index) {
5968 new_mode = ARM_CPU_MODE_UND;
5977 new_mode = ARM_CPU_MODE_SVC;
5980 /* The PC already points to the next instruction. */
5984 env->exception.fsr = 2;
5985 /* Fall through to prefetch abort. */
5986 case EXCP_PREFETCH_ABORT:
5987 A32_BANKED_CURRENT_REG_SET(env, ifsr, env->exception.fsr);
5988 A32_BANKED_CURRENT_REG_SET(env, ifar, env->exception.vaddress);
5989 qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x IFAR 0x%x\n",
5990 env->exception.fsr, (uint32_t)env->exception.vaddress);
5991 new_mode = ARM_CPU_MODE_ABT;
5993 mask = CPSR_A | CPSR_I;
5996 case EXCP_DATA_ABORT:
5997 A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr);
5998 A32_BANKED_CURRENT_REG_SET(env, dfar, env->exception.vaddress);
5999 qemu_log_mask(CPU_LOG_INT, "...with DFSR 0x%x DFAR 0x%x\n",
6001 (uint32_t)env->exception.vaddress);
6002 new_mode = ARM_CPU_MODE_ABT;
6004 mask = CPSR_A | CPSR_I;
6008 new_mode = ARM_CPU_MODE_IRQ;
6010 /* Disable IRQ and imprecise data aborts. */
6011 mask = CPSR_A | CPSR_I;
6013 if (env->cp15.scr_el3 & SCR_IRQ) {
6014 /* IRQ routed to monitor mode */
6015 new_mode = ARM_CPU_MODE_MON;
6020 new_mode = ARM_CPU_MODE_FIQ;
6022 /* Disable FIQ, IRQ and imprecise data aborts. */
6023 mask = CPSR_A | CPSR_I | CPSR_F;
6024 if (env->cp15.scr_el3 & SCR_FIQ) {
6025 /* FIQ routed to monitor mode */
6026 new_mode = ARM_CPU_MODE_MON;
6031 new_mode = ARM_CPU_MODE_MON;
6033 mask = CPSR_A | CPSR_I | CPSR_F;
6037 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
6038 return; /* Never happens. Keep compiler happy. */
6041 if (new_mode == ARM_CPU_MODE_MON) {
6042 addr += env->cp15.mvbar;
6043 } else if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
6044 /* High vectors. When enabled, base address cannot be remapped. */
6047 /* ARM v7 architectures provide a vector base address register to remap
6048 * the interrupt vector table.
6049 * This register is only followed in non-monitor mode, and is banked.
6050 * Note: only bits 31:5 are valid.
6052 addr += A32_BANKED_CURRENT_REG_GET(env, vbar);
6055 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) {
6056 env->cp15.scr_el3 &= ~SCR_NS;
6059 switch_mode (env, new_mode);
6060 /* For exceptions taken to AArch32 we must clear the SS bit in both
6061 * PSTATE and in the old-state value we save to SPSR_<mode>, so zero it now.
6063 env->uncached_cpsr &= ~PSTATE_SS;
6064 env->spsr = cpsr_read(env);
6065 /* Clear IT bits. */
6066 env->condexec_bits = 0;
6067 /* Switch to the new mode, and to the correct instruction set. */
6068 env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode;
6070 /* this is a lie, as the was no c1_sys on V4T/V5, but who cares
6071 * and we should just guard the thumb mode on V4 */
6072 if (arm_feature(env, ARM_FEATURE_V4T)) {
6073 env->thumb = (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_TE) != 0;
6075 env->regs[14] = env->regs[15] + offset;
6076 env->regs[15] = addr;
6079 /* Handle exception entry to a target EL which is using AArch64 */
6080 static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
6082 ARMCPU *cpu = ARM_CPU(cs);
6083 CPUARMState *env = &cpu->env;
6084 unsigned int new_el = env->exception.target_el;
6085 target_ulong addr = env->cp15.vbar_el[new_el];
6086 unsigned int new_mode = aarch64_pstate_mode(new_el, true);
6088 if (arm_current_el(env) < new_el) {
6089 /* Entry vector offset depends on whether the implemented EL
6090 * immediately lower than the target level is using AArch32 or AArch64
6096 is_aa64 = (env->cp15.scr_el3 & SCR_RW) != 0;
6099 is_aa64 = (env->cp15.hcr_el2 & HCR_RW) != 0;
6102 is_aa64 = is_a64(env);
6105 g_assert_not_reached();
6113 } else if (pstate_read(env) & PSTATE_SP) {
6117 switch (cs->exception_index) {
6118 case EXCP_PREFETCH_ABORT:
6119 case EXCP_DATA_ABORT:
6120 env->cp15.far_el[new_el] = env->exception.vaddress;
6121 qemu_log_mask(CPU_LOG_INT, "...with FAR 0x%" PRIx64 "\n",
6122 env->cp15.far_el[new_el]);
6130 env->cp15.esr_el[new_el] = env->exception.syndrome;
6141 qemu_log_mask(CPU_LOG_INT,
6142 "...handling as semihosting call 0x%" PRIx64 "\n",
6144 env->xregs[0] = do_arm_semihosting(env);
6147 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
6151 env->banked_spsr[aarch64_banked_spsr_index(new_el)] = pstate_read(env);
6152 aarch64_save_sp(env, arm_current_el(env));
6153 env->elr_el[new_el] = env->pc;
6155 env->banked_spsr[aarch64_banked_spsr_index(new_el)] = cpsr_read(env);
6157 env->cp15.esr_el[new_el] |= 1 << 25;
6159 env->elr_el[new_el] = env->regs[15];
6161 aarch64_sync_32_to_64(env);
6163 env->condexec_bits = 0;
6165 qemu_log_mask(CPU_LOG_INT, "...with ELR 0x%" PRIx64 "\n",
6166 env->elr_el[new_el]);
6168 pstate_write(env, PSTATE_DAIF | new_mode);
6170 aarch64_restore_sp(env, new_el);
6174 qemu_log_mask(CPU_LOG_INT, "...to EL%d PC 0x%" PRIx64 " PSTATE 0x%x\n",
6175 new_el, env->pc, pstate_read(env));
6178 static inline bool check_for_semihosting(CPUState *cs)
6180 /* Check whether this exception is a semihosting call; if so
6181 * then handle it and return true; otherwise return false.
6183 ARMCPU *cpu = ARM_CPU(cs);
6184 CPUARMState *env = &cpu->env;
6187 if (cs->exception_index == EXCP_SEMIHOST) {
6188 /* This is always the 64-bit semihosting exception.
6189 * The "is this usermode" and "is semihosting enabled"
6190 * checks have been done at translate time.
6192 qemu_log_mask(CPU_LOG_INT,
6193 "...handling as semihosting call 0x%" PRIx64 "\n",
6195 env->xregs[0] = do_arm_semihosting(env);
6202 /* Only intercept calls from privileged modes, to provide some
6203 * semblance of security.
6205 if (!semihosting_enabled() ||
6206 ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_USR)) {
6210 switch (cs->exception_index) {
6212 /* Check for semihosting interrupt. */
6214 imm = arm_lduw_code(env, env->regs[15] - 2, env->bswap_code)
6220 imm = arm_ldl_code(env, env->regs[15] - 4, env->bswap_code)
6222 if (imm == 0x123456) {
6228 /* See if this is a semihosting syscall. */
6230 imm = arm_lduw_code(env, env->regs[15], env->bswap_code)
6242 qemu_log_mask(CPU_LOG_INT,
6243 "...handling as semihosting call 0x%x\n",
6245 env->regs[0] = do_arm_semihosting(env);
6250 /* Handle a CPU exception for A and R profile CPUs.
6251 * Do any appropriate logging, handle PSCI calls, and then hand off
6252 * to the AArch64-entry or AArch32-entry function depending on the
6253 * target exception level's register width.
6255 void arm_cpu_do_interrupt(CPUState *cs)
6257 ARMCPU *cpu = ARM_CPU(cs);
6258 CPUARMState *env = &cpu->env;
6259 unsigned int new_el = env->exception.target_el;
6263 arm_log_exception(cs->exception_index);
6264 qemu_log_mask(CPU_LOG_INT, "...from EL%d to EL%d\n", arm_current_el(env),
6266 if (qemu_loglevel_mask(CPU_LOG_INT)
6267 && !excp_is_internal(cs->exception_index)) {
6268 qemu_log_mask(CPU_LOG_INT, "...with ESR %x/0x%" PRIx32 "\n",
6269 env->exception.syndrome >> ARM_EL_EC_SHIFT,
6270 env->exception.syndrome);
6273 if (arm_is_psci_call(cpu, cs->exception_index)) {
6274 arm_handle_psci_call(cpu);
6275 qemu_log_mask(CPU_LOG_INT, "...handled as PSCI call\n");
6279 /* Semihosting semantics depend on the register width of the
6280 * code that caused the exception, not the target exception level,
6281 * so must be handled here.
6283 if (check_for_semihosting(cs)) {
6287 assert(!excp_is_internal(cs->exception_index));
6288 if (arm_el_is_aa64(env, new_el)) {
6289 arm_cpu_do_interrupt_aarch64(cs);
6291 arm_cpu_do_interrupt_aarch32(cs);
6294 if (!kvm_enabled()) {
6295 cs->interrupt_request |= CPU_INTERRUPT_EXITTB;
6299 /* Return the exception level which controls this address translation regime */
6300 static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
6303 case ARMMMUIdx_S2NS:
6304 case ARMMMUIdx_S1E2:
6306 case ARMMMUIdx_S1E3:
6308 case ARMMMUIdx_S1SE0:
6309 return arm_el_is_aa64(env, 3) ? 1 : 3;
6310 case ARMMMUIdx_S1SE1:
6311 case ARMMMUIdx_S1NSE0:
6312 case ARMMMUIdx_S1NSE1:
6315 g_assert_not_reached();
6319 /* Return true if this address translation regime is secure */
6320 static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx)
6323 case ARMMMUIdx_S12NSE0:
6324 case ARMMMUIdx_S12NSE1:
6325 case ARMMMUIdx_S1NSE0:
6326 case ARMMMUIdx_S1NSE1:
6327 case ARMMMUIdx_S1E2:
6328 case ARMMMUIdx_S2NS:
6330 case ARMMMUIdx_S1E3:
6331 case ARMMMUIdx_S1SE0:
6332 case ARMMMUIdx_S1SE1:
6335 g_assert_not_reached();
6339 /* Return the SCTLR value which controls this address translation regime */
6340 static inline uint32_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx)
6342 return env->cp15.sctlr_el[regime_el(env, mmu_idx)];
6345 /* Return true if the specified stage of address translation is disabled */
6346 static inline bool regime_translation_disabled(CPUARMState *env,
6349 if (mmu_idx == ARMMMUIdx_S2NS) {
6350 return (env->cp15.hcr_el2 & HCR_VM) == 0;
6352 return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
6355 /* Return the TCR controlling this translation regime */
6356 static inline TCR *regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx)
6358 if (mmu_idx == ARMMMUIdx_S2NS) {
6359 return &env->cp15.vtcr_el2;
6361 return &env->cp15.tcr_el[regime_el(env, mmu_idx)];
6364 /* Return the TTBR associated with this translation regime */
6365 static inline uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx,
6368 if (mmu_idx == ARMMMUIdx_S2NS) {
6369 return env->cp15.vttbr_el2;
6372 return env->cp15.ttbr0_el[regime_el(env, mmu_idx)];
6374 return env->cp15.ttbr1_el[regime_el(env, mmu_idx)];
6378 /* Return true if the translation regime is using LPAE format page tables */
6379 static inline bool regime_using_lpae_format(CPUARMState *env,
6382 int el = regime_el(env, mmu_idx);
6383 if (el == 2 || arm_el_is_aa64(env, el)) {
6386 if (arm_feature(env, ARM_FEATURE_LPAE)
6387 && (regime_tcr(env, mmu_idx)->raw_tcr & TTBCR_EAE)) {
6393 /* Returns true if the stage 1 translation regime is using LPAE format page
6394 * tables. Used when raising alignment exceptions, whose FSR changes depending
6395 * on whether the long or short descriptor format is in use. */
6396 bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx)
6398 if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
6399 mmu_idx += ARMMMUIdx_S1NSE0;
6402 return regime_using_lpae_format(env, mmu_idx);
6405 static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
6408 case ARMMMUIdx_S1SE0:
6409 case ARMMMUIdx_S1NSE0:
6413 case ARMMMUIdx_S12NSE0:
6414 case ARMMMUIdx_S12NSE1:
6415 g_assert_not_reached();
6419 /* Translate section/page access permissions to page
6420 * R/W protection flags
6423 * @mmu_idx: MMU index indicating required translation regime
6424 * @ap: The 3-bit access permissions (AP[2:0])
6425 * @domain_prot: The 2-bit domain access permissions
6427 static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
6428 int ap, int domain_prot)
6430 bool is_user = regime_is_user(env, mmu_idx);
6432 if (domain_prot == 3) {
6433 return PAGE_READ | PAGE_WRITE;
6438 if (arm_feature(env, ARM_FEATURE_V7)) {
6441 switch (regime_sctlr(env, mmu_idx) & (SCTLR_S | SCTLR_R)) {
6443 return is_user ? 0 : PAGE_READ;
6450 return is_user ? 0 : PAGE_READ | PAGE_WRITE;
6455 return PAGE_READ | PAGE_WRITE;
6458 return PAGE_READ | PAGE_WRITE;
6459 case 4: /* Reserved. */
6462 return is_user ? 0 : PAGE_READ;
6466 if (!arm_feature(env, ARM_FEATURE_V6K)) {
6471 g_assert_not_reached();
6475 /* Translate section/page access permissions to page
6476 * R/W protection flags.
6478 * @ap: The 2-bit simple AP (AP[2:1])
6479 * @is_user: TRUE if accessing from PL0
6481 static inline int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
6485 return is_user ? 0 : PAGE_READ | PAGE_WRITE;
6487 return PAGE_READ | PAGE_WRITE;
6489 return is_user ? 0 : PAGE_READ;
6493 g_assert_not_reached();
6498 simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
6500 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
6503 /* Translate S2 section/page access permissions to protection flags
6506 * @s2ap: The 2-bit stage2 access permissions (S2AP)
6507 * @xn: XN (execute-never) bit
6509 static int get_S2prot(CPUARMState *env, int s2ap, int xn)
6525 /* Translate section/page access permissions to protection flags
6528 * @mmu_idx: MMU index indicating required translation regime
6529 * @is_aa64: TRUE if AArch64
6530 * @ap: The 2-bit simple AP (AP[2:1])
6531 * @ns: NS (non-secure) bit
6532 * @xn: XN (execute-never) bit
6533 * @pxn: PXN (privileged execute-never) bit
6535 static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
6536 int ap, int ns, int xn, int pxn)
6538 bool is_user = regime_is_user(env, mmu_idx);
6539 int prot_rw, user_rw;
6543 assert(mmu_idx != ARMMMUIdx_S2NS);
6545 user_rw = simple_ap_to_rw_prot_is_user(ap, true);
6549 prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
6552 if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
6556 /* TODO have_wxn should be replaced with
6557 * ARM_FEATURE_V8 || (ARM_FEATURE_V7 && ARM_FEATURE_EL2)
6558 * when ARM_FEATURE_EL2 starts getting set. For now we assume all LPAE
6559 * compatible processors have EL2, which is required for [U]WXN.
6561 have_wxn = arm_feature(env, ARM_FEATURE_LPAE);
6564 wxn = regime_sctlr(env, mmu_idx) & SCTLR_WXN;
6568 switch (regime_el(env, mmu_idx)) {
6571 xn = pxn || (user_rw & PAGE_WRITE);
6578 } else if (arm_feature(env, ARM_FEATURE_V7)) {
6579 switch (regime_el(env, mmu_idx)) {
6583 xn = xn || !(user_rw & PAGE_READ);
6587 uwxn = regime_sctlr(env, mmu_idx) & SCTLR_UWXN;
6589 xn = xn || !(prot_rw & PAGE_READ) || pxn ||
6590 (uwxn && (user_rw & PAGE_WRITE));
6600 if (xn || (wxn && (prot_rw & PAGE_WRITE))) {
6603 return prot_rw | PAGE_EXEC;
6606 static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
6607 uint32_t *table, uint32_t address)
6609 /* Note that we can only get here for an AArch32 PL0/PL1 lookup */
6610 TCR *tcr = regime_tcr(env, mmu_idx);
6612 if (address & tcr->mask) {
6613 if (tcr->raw_tcr & TTBCR_PD1) {
6614 /* Translation table walk disabled for TTBR1 */
6617 *table = regime_ttbr(env, mmu_idx, 1) & 0xffffc000;
6619 if (tcr->raw_tcr & TTBCR_PD0) {
6620 /* Translation table walk disabled for TTBR0 */
6623 *table = regime_ttbr(env, mmu_idx, 0) & tcr->base_mask;
6625 *table |= (address >> 18) & 0x3ffc;
6629 /* Translate a S1 pagetable walk through S2 if needed. */
6630 static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
6631 hwaddr addr, MemTxAttrs txattrs,
6633 ARMMMUFaultInfo *fi)
6635 if ((mmu_idx == ARMMMUIdx_S1NSE0 || mmu_idx == ARMMMUIdx_S1NSE1) &&
6636 !regime_translation_disabled(env, ARMMMUIdx_S2NS)) {
6637 target_ulong s2size;
6642 ret = get_phys_addr_lpae(env, addr, 0, ARMMMUIdx_S2NS, &s2pa,
6643 &txattrs, &s2prot, &s2size, fsr, fi);
6655 /* All loads done in the course of a page table walk go through here.
6656 * TODO: rather than ignoring errors from physical memory reads (which
6657 * are external aborts in ARM terminology) we should propagate this
6658 * error out so that we can turn it into a Data Abort if this walk
6659 * was being done for a CPU load/store or an address translation instruction
6660 * (but not if it was for a debug access).
6662 static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
6663 ARMMMUIdx mmu_idx, uint32_t *fsr,
6664 ARMMMUFaultInfo *fi)
6666 ARMCPU *cpu = ARM_CPU(cs);
6667 CPUARMState *env = &cpu->env;
6668 MemTxAttrs attrs = {};
6671 attrs.secure = is_secure;
6672 as = arm_addressspace(cs, attrs);
6673 addr = S1_ptw_translate(env, mmu_idx, addr, attrs, fsr, fi);
6677 return address_space_ldl(as, addr, attrs, NULL);
6680 static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
6681 ARMMMUIdx mmu_idx, uint32_t *fsr,
6682 ARMMMUFaultInfo *fi)
6684 ARMCPU *cpu = ARM_CPU(cs);
6685 CPUARMState *env = &cpu->env;
6686 MemTxAttrs attrs = {};
6689 attrs.secure = is_secure;
6690 as = arm_addressspace(cs, attrs);
6691 addr = S1_ptw_translate(env, mmu_idx, addr, attrs, fsr, fi);
6695 return address_space_ldq(as, addr, attrs, NULL);
6698 static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
6699 int access_type, ARMMMUIdx mmu_idx,
6700 hwaddr *phys_ptr, int *prot,
6701 target_ulong *page_size, uint32_t *fsr,
6702 ARMMMUFaultInfo *fi)
6704 CPUState *cs = CPU(arm_env_get_cpu(env));
6715 /* Pagetable walk. */
6716 /* Lookup l1 descriptor. */
6717 if (!get_level1_table_address(env, mmu_idx, &table, address)) {
6718 /* Section translation fault if page walk is disabled by PD0 or PD1 */
6722 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
6725 domain = (desc >> 5) & 0x0f;
6726 if (regime_el(env, mmu_idx) == 1) {
6727 dacr = env->cp15.dacr_ns;
6729 dacr = env->cp15.dacr_s;
6731 domain_prot = (dacr >> (domain * 2)) & 3;
6733 /* Section translation fault. */
6737 if (domain_prot == 0 || domain_prot == 2) {
6739 code = 9; /* Section domain fault. */
6741 code = 11; /* Page domain fault. */
6746 phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
6747 ap = (desc >> 10) & 3;
6749 *page_size = 1024 * 1024;
6751 /* Lookup l2 entry. */
6753 /* Coarse pagetable. */
6754 table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
6756 /* Fine pagetable. */
6757 table = (desc & 0xfffff000) | ((address >> 8) & 0xffc);
6759 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
6762 case 0: /* Page translation fault. */
6765 case 1: /* 64k page. */
6766 phys_addr = (desc & 0xffff0000) | (address & 0xffff);
6767 ap = (desc >> (4 + ((address >> 13) & 6))) & 3;
6768 *page_size = 0x10000;
6770 case 2: /* 4k page. */
6771 phys_addr = (desc & 0xfffff000) | (address & 0xfff);
6772 ap = (desc >> (4 + ((address >> 9) & 6))) & 3;
6773 *page_size = 0x1000;
6775 case 3: /* 1k page, or ARMv6/XScale "extended small (4k) page" */
6777 /* ARMv6/XScale extended small page format */
6778 if (arm_feature(env, ARM_FEATURE_XSCALE)
6779 || arm_feature(env, ARM_FEATURE_V6)) {
6780 phys_addr = (desc & 0xfffff000) | (address & 0xfff);
6781 *page_size = 0x1000;
6783 /* UNPREDICTABLE in ARMv5; we choose to take a
6784 * page translation fault.
6790 phys_addr = (desc & 0xfffffc00) | (address & 0x3ff);
6793 ap = (desc >> 4) & 3;
6796 /* Never happens, but compiler isn't smart enough to tell. */
6801 *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
6802 *prot |= *prot ? PAGE_EXEC : 0;
6803 if (!(*prot & (1 << access_type))) {
6804 /* Access permission fault. */
6807 *phys_ptr = phys_addr;
6810 *fsr = code | (domain << 4);
6814 static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
6815 int access_type, ARMMMUIdx mmu_idx,
6816 hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
6817 target_ulong *page_size, uint32_t *fsr,
6818 ARMMMUFaultInfo *fi)
6820 CPUState *cs = CPU(arm_env_get_cpu(env));
6834 /* Pagetable walk. */
6835 /* Lookup l1 descriptor. */
6836 if (!get_level1_table_address(env, mmu_idx, &table, address)) {
6837 /* Section translation fault if page walk is disabled by PD0 or PD1 */
6841 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
6844 if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) {
6845 /* Section translation fault, or attempt to use the encoding
6846 * which is Reserved on implementations without PXN.
6851 if ((type == 1) || !(desc & (1 << 18))) {
6852 /* Page or Section. */
6853 domain = (desc >> 5) & 0x0f;
6855 if (regime_el(env, mmu_idx) == 1) {
6856 dacr = env->cp15.dacr_ns;
6858 dacr = env->cp15.dacr_s;
6860 domain_prot = (dacr >> (domain * 2)) & 3;
6861 if (domain_prot == 0 || domain_prot == 2) {
6863 code = 9; /* Section domain fault. */
6865 code = 11; /* Page domain fault. */
6870 if (desc & (1 << 18)) {
6872 phys_addr = (desc & 0xff000000) | (address & 0x00ffffff);
6873 phys_addr |= (uint64_t)extract32(desc, 20, 4) << 32;
6874 phys_addr |= (uint64_t)extract32(desc, 5, 4) << 36;
6875 *page_size = 0x1000000;
6878 phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
6879 *page_size = 0x100000;
6881 ap = ((desc >> 10) & 3) | ((desc >> 13) & 4);
6882 xn = desc & (1 << 4);
6885 ns = extract32(desc, 19, 1);
6887 if (arm_feature(env, ARM_FEATURE_PXN)) {
6888 pxn = (desc >> 2) & 1;
6890 ns = extract32(desc, 3, 1);
6891 /* Lookup l2 entry. */
6892 table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
6893 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
6895 ap = ((desc >> 4) & 3) | ((desc >> 7) & 4);
6897 case 0: /* Page translation fault. */
6900 case 1: /* 64k page. */
6901 phys_addr = (desc & 0xffff0000) | (address & 0xffff);
6902 xn = desc & (1 << 15);
6903 *page_size = 0x10000;
6905 case 2: case 3: /* 4k page. */
6906 phys_addr = (desc & 0xfffff000) | (address & 0xfff);
6908 *page_size = 0x1000;
6911 /* Never happens, but compiler isn't smart enough to tell. */
6916 if (domain_prot == 3) {
6917 *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
6919 if (pxn && !regime_is_user(env, mmu_idx)) {
6922 if (xn && access_type == 2)
6925 if (arm_feature(env, ARM_FEATURE_V6K) &&
6926 (regime_sctlr(env, mmu_idx) & SCTLR_AFE)) {
6927 /* The simplified model uses AP[0] as an access control bit. */
6928 if ((ap & 1) == 0) {
6929 /* Access flag fault. */
6930 code = (code == 15) ? 6 : 3;
6933 *prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1);
6935 *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
6940 if (!(*prot & (1 << access_type))) {
6941 /* Access permission fault. */
6946 /* The NS bit will (as required by the architecture) have no effect if
6947 * the CPU doesn't support TZ or this is a non-secure translation
6948 * regime, because the attribute will already be non-secure.
6950 attrs->secure = false;
6952 *phys_ptr = phys_addr;
6955 *fsr = code | (domain << 4);
6959 /* Fault type for long-descriptor MMU fault reporting; this corresponds
6960 * to bits [5..2] in the STATUS field in long-format DFSR/IFSR.
6963 translation_fault = 1,
6965 permission_fault = 3,
6969 * check_s2_mmu_setup
6971 * @is_aa64: True if the translation regime is in AArch64 state
6972 * @startlevel: Suggested starting level
6973 * @inputsize: Bitsize of IPAs
6974 * @stride: Page-table stride (See the ARM ARM)
6976 * Returns true if the suggested S2 translation parameters are OK and
6979 static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
6980 int inputsize, int stride)
6982 const int grainsize = stride + 3;
6985 /* Negative levels are never allowed. */
6990 startsizecheck = inputsize - ((3 - level) * stride + grainsize);
6991 if (startsizecheck < 1 || startsizecheck > stride + 4) {
6996 CPUARMState *env = &cpu->env;
6997 unsigned int pamax = arm_pamax(cpu);
7000 case 13: /* 64KB Pages. */
7001 if (level == 0 || (level == 1 && pamax <= 42)) {
7005 case 11: /* 16KB Pages. */
7006 if (level == 0 || (level == 1 && pamax <= 40)) {
7010 case 9: /* 4KB Pages. */
7011 if (level == 0 && pamax <= 42) {
7016 g_assert_not_reached();
7019 /* Inputsize checks. */
7020 if (inputsize > pamax &&
7021 (arm_el_is_aa64(env, 1) || inputsize > 40)) {
7022 /* This is CONSTRAINED UNPREDICTABLE and we choose to fault. */
7026 /* AArch32 only supports 4KB pages. Assert on that. */
7027 assert(stride == 9);
7036 static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
7037 int access_type, ARMMMUIdx mmu_idx,
7038 hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
7039 target_ulong *page_size_ptr, uint32_t *fsr,
7040 ARMMMUFaultInfo *fi)
7042 ARMCPU *cpu = arm_env_get_cpu(env);
7043 CPUState *cs = CPU(cpu);
7044 /* Read an LPAE long-descriptor translation table. */
7045 MMUFaultType fault_type = translation_fault;
7052 hwaddr descaddr, descmask;
7053 uint32_t tableattrs;
7054 target_ulong page_size;
7057 int32_t va_size = 32;
7060 TCR *tcr = regime_tcr(env, mmu_idx);
7061 int ap, ns, xn, pxn;
7062 uint32_t el = regime_el(env, mmu_idx);
7063 bool ttbr1_valid = true;
7064 uint64_t descaddrmask;
7067 * This code does not handle the different format TCR for VTCR_EL2.
7068 * This code also does not support shareability levels.
7069 * Attribute and permission bit handling should also be checked when adding
7070 * support for those page table walks.
7072 if (arm_el_is_aa64(env, el)) {
7075 if (mmu_idx != ARMMMUIdx_S2NS) {
7076 tbi = extract64(tcr->raw_tcr, 20, 1);
7079 if (extract64(address, 55, 1)) {
7080 tbi = extract64(tcr->raw_tcr, 38, 1);
7082 tbi = extract64(tcr->raw_tcr, 37, 1);
7087 /* If we are in 64-bit EL2 or EL3 then there is no TTBR1, so mark it
7091 ttbr1_valid = false;
7094 /* There is no TTBR1 for EL2 */
7096 ttbr1_valid = false;
7100 /* Determine whether this address is in the region controlled by
7101 * TTBR0 or TTBR1 (or if it is in neither region and should fault).
7102 * This is a Non-secure PL0/1 stage 1 translation, so controlled by
7103 * TTBCR/TTBR0/TTBR1 in accordance with ARM ARM DDI0406C table B-32:
7105 if (va_size == 64) {
7106 /* AArch64 translation. */
7107 t0sz = extract32(tcr->raw_tcr, 0, 6);
7108 t0sz = MIN(t0sz, 39);
7109 t0sz = MAX(t0sz, 16);
7110 } else if (mmu_idx != ARMMMUIdx_S2NS) {
7111 /* AArch32 stage 1 translation. */
7112 t0sz = extract32(tcr->raw_tcr, 0, 3);
7114 /* AArch32 stage 2 translation. */
7115 bool sext = extract32(tcr->raw_tcr, 4, 1);
7116 bool sign = extract32(tcr->raw_tcr, 3, 1);
7117 t0sz = sextract32(tcr->raw_tcr, 0, 4);
7119 /* If the sign-extend bit is not the same as t0sz[3], the result
7120 * is unpredictable. Flag this as a guest error. */
7122 qemu_log_mask(LOG_GUEST_ERROR,
7123 "AArch32: VTCR.S / VTCR.T0SZ[3] missmatch\n");
7126 t1sz = extract32(tcr->raw_tcr, 16, 6);
7127 if (va_size == 64) {
7128 t1sz = MIN(t1sz, 39);
7129 t1sz = MAX(t1sz, 16);
7131 if (t0sz && !extract64(address, va_size - t0sz, t0sz - tbi)) {
7132 /* there is a ttbr0 region and we are in it (high bits all zero) */
7134 } else if (ttbr1_valid && t1sz &&
7135 !extract64(~address, va_size - t1sz, t1sz - tbi)) {
7136 /* there is a ttbr1 region and we are in it (high bits all one) */
7139 /* ttbr0 region is "everything not in the ttbr1 region" */
7141 } else if (!t1sz && ttbr1_valid) {
7142 /* ttbr1 region is "everything not in the ttbr0 region" */
7145 /* in the gap between the two regions, this is a Translation fault */
7146 fault_type = translation_fault;
7150 /* Note that QEMU ignores shareability and cacheability attributes,
7151 * so we don't need to do anything with the SH, ORGN, IRGN fields
7152 * in the TTBCR. Similarly, TTBCR:A1 selects whether we get the
7153 * ASID from TTBR0 or TTBR1, but QEMU's TLB doesn't currently
7154 * implement any ASID-like capability so we can ignore it (instead
7155 * we will always flush the TLB any time the ASID is changed).
7157 if (ttbr_select == 0) {
7158 ttbr = regime_ttbr(env, mmu_idx, 0);
7160 epd = extract32(tcr->raw_tcr, 7, 1);
7162 inputsize = va_size - t0sz;
7164 tg = extract32(tcr->raw_tcr, 14, 2);
7165 if (tg == 1) { /* 64KB pages */
7168 if (tg == 2) { /* 16KB pages */
7172 /* We should only be here if TTBR1 is valid */
7173 assert(ttbr1_valid);
7175 ttbr = regime_ttbr(env, mmu_idx, 1);
7176 epd = extract32(tcr->raw_tcr, 23, 1);
7177 inputsize = va_size - t1sz;
7179 tg = extract32(tcr->raw_tcr, 30, 2);
7180 if (tg == 3) { /* 64KB pages */
7183 if (tg == 1) { /* 16KB pages */
7188 /* Here we should have set up all the parameters for the translation:
7189 * va_size, inputsize, ttbr, epd, stride, tbi
7193 /* Translation table walk disabled => Translation fault on TLB miss
7194 * Note: This is always 0 on 64-bit EL2 and EL3.
7199 if (mmu_idx != ARMMMUIdx_S2NS) {
7200 /* The starting level depends on the virtual address size (which can
7201 * be up to 48 bits) and the translation granule size. It indicates
7202 * the number of strides (stride bits at a time) needed to
7203 * consume the bits of the input address. In the pseudocode this is:
7204 * level = 4 - RoundUp((inputsize - grainsize) / stride)
7205 * where their 'inputsize' is our 'inputsize', 'grainsize' is
7206 * our 'stride + 3' and 'stride' is our 'stride'.
7207 * Applying the usual "rounded up m/n is (m+n-1)/n" and simplifying:
7208 * = 4 - (inputsize - stride - 3 + stride - 1) / stride
7209 * = 4 - (inputsize - 4) / stride;
7211 level = 4 - (inputsize - 4) / stride;
7213 /* For stage 2 translations the starting level is specified by the
7214 * VTCR_EL2.SL0 field (whose interpretation depends on the page size)
7216 int startlevel = extract32(tcr->raw_tcr, 6, 2);
7219 if (va_size == 32 || stride == 9) {
7220 /* AArch32 or 4KB pages */
7221 level = 2 - startlevel;
7223 /* 16KB or 64KB pages */
7224 level = 3 - startlevel;
7227 /* Check that the starting level is valid. */
7228 ok = check_s2_mmu_setup(cpu, va_size == 64, level, inputsize, stride);
7230 /* AArch64 reports these as level 0 faults.
7231 * AArch32 reports these as level 1 faults.
7233 level = va_size == 64 ? 0 : 1;
7234 fault_type = translation_fault;
7239 /* Clear the vaddr bits which aren't part of the within-region address,
7240 * so that we don't have to special case things when calculating the
7241 * first descriptor address.
7243 if (va_size != inputsize) {
7244 address &= (1ULL << inputsize) - 1;
7247 descmask = (1ULL << (stride + 3)) - 1;
7249 /* Now we can extract the actual base address from the TTBR */
7250 descaddr = extract64(ttbr, 0, 48);
7251 descaddr &= ~((1ULL << (inputsize - (stride * (4 - level)))) - 1);
7253 /* The address field in the descriptor goes up to bit 39 for ARMv7
7254 * but up to bit 47 for ARMv8.
7256 if (arm_feature(env, ARM_FEATURE_V8)) {
7257 descaddrmask = 0xfffffffff000ULL;
7259 descaddrmask = 0xfffffff000ULL;
7262 /* Secure accesses start with the page table in secure memory and
7263 * can be downgraded to non-secure at any step. Non-secure accesses
7264 * remain non-secure. We implement this by just ORing in the NSTable/NS
7265 * bits at each step.
7267 tableattrs = regime_is_secure(env, mmu_idx) ? 0 : (1 << 4);
7269 uint64_t descriptor;
7272 descaddr |= (address >> (stride * (4 - level))) & descmask;
7274 nstable = extract32(tableattrs, 4, 1);
7275 descriptor = arm_ldq_ptw(cs, descaddr, !nstable, mmu_idx, fsr, fi);
7280 if (!(descriptor & 1) ||
7281 (!(descriptor & 2) && (level == 3))) {
7282 /* Invalid, or the Reserved level 3 encoding */
7285 descaddr = descriptor & descaddrmask;
7287 if ((descriptor & 2) && (level < 3)) {
7288 /* Table entry. The top five bits are attributes which may
7289 * propagate down through lower levels of the table (and
7290 * which are all arranged so that 0 means "no effect", so
7291 * we can gather them up by ORing in the bits at each level).
7293 tableattrs |= extract64(descriptor, 59, 5);
7297 /* Block entry at level 1 or 2, or page entry at level 3.
7298 * These are basically the same thing, although the number
7299 * of bits we pull in from the vaddr varies.
7301 page_size = (1ULL << ((stride * (4 - level)) + 3));
7302 descaddr |= (address & (page_size - 1));
7303 /* Extract attributes from the descriptor */
7304 attrs = extract64(descriptor, 2, 10)
7305 | (extract64(descriptor, 52, 12) << 10);
7307 if (mmu_idx == ARMMMUIdx_S2NS) {
7308 /* Stage 2 table descriptors do not include any attribute fields */
7311 /* Merge in attributes from table descriptors */
7312 attrs |= extract32(tableattrs, 0, 2) << 11; /* XN, PXN */
7313 attrs |= extract32(tableattrs, 3, 1) << 5; /* APTable[1] => AP[2] */
7314 /* The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
7315 * means "force PL1 access only", which means forcing AP[1] to 0.
7317 if (extract32(tableattrs, 2, 1)) {
7320 attrs |= nstable << 3; /* NS */
7323 /* Here descaddr is the final physical address, and attributes
7326 fault_type = access_fault;
7327 if ((attrs & (1 << 8)) == 0) {
7332 ap = extract32(attrs, 4, 2);
7333 xn = extract32(attrs, 12, 1);
7335 if (mmu_idx == ARMMMUIdx_S2NS) {
7337 *prot = get_S2prot(env, ap, xn);
7339 ns = extract32(attrs, 3, 1);
7340 pxn = extract32(attrs, 11, 1);
7341 *prot = get_S1prot(env, mmu_idx, va_size == 64, ap, ns, xn, pxn);
7344 fault_type = permission_fault;
7345 if (!(*prot & (1 << access_type))) {
7350 /* The NS bit will (as required by the architecture) have no effect if
7351 * the CPU doesn't support TZ or this is a non-secure translation
7352 * regime, because the attribute will already be non-secure.
7354 txattrs->secure = false;
7356 *phys_ptr = descaddr;
7357 *page_size_ptr = page_size;
7361 /* Long-descriptor format IFSR/DFSR value */
7362 *fsr = (1 << 9) | (fault_type << 2) | level;
7363 /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2. */
7364 fi->stage2 = fi->s1ptw || (mmu_idx == ARMMMUIdx_S2NS);
7368 static inline void get_phys_addr_pmsav7_default(CPUARMState *env,
7370 int32_t address, int *prot)
7372 *prot = PAGE_READ | PAGE_WRITE;
7374 case 0xF0000000 ... 0xFFFFFFFF:
7375 if (regime_sctlr(env, mmu_idx) & SCTLR_V) { /* hivecs execing is ok */
7379 case 0x00000000 ... 0x7FFFFFFF:
7386 static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
7387 int access_type, ARMMMUIdx mmu_idx,
7388 hwaddr *phys_ptr, int *prot, uint32_t *fsr)
7390 ARMCPU *cpu = arm_env_get_cpu(env);
7392 bool is_user = regime_is_user(env, mmu_idx);
7394 *phys_ptr = address;
7397 if (regime_translation_disabled(env, mmu_idx)) { /* MPU disabled */
7398 get_phys_addr_pmsav7_default(env, mmu_idx, address, prot);
7399 } else { /* MPU enabled */
7400 for (n = (int)cpu->pmsav7_dregion - 1; n >= 0; n--) {
7402 uint32_t base = env->pmsav7.drbar[n];
7403 uint32_t rsize = extract32(env->pmsav7.drsr[n], 1, 5);
7407 if (!(env->pmsav7.drsr[n] & 0x1)) {
7412 qemu_log_mask(LOG_GUEST_ERROR, "DRSR.Rsize field can not be 0");
7416 rmask = (1ull << rsize) - 1;
7419 qemu_log_mask(LOG_GUEST_ERROR, "DRBAR %" PRIx32 " misaligned "
7420 "to DRSR region size, mask = %" PRIx32,
7425 if (address < base || address > base + rmask) {
7429 /* Region matched */
7431 if (rsize >= 8) { /* no subregions for regions < 256 bytes */
7433 uint32_t srdis_mask;
7435 rsize -= 3; /* sub region size (power of 2) */
7436 snd = ((address - base) >> rsize) & 0x7;
7437 srdis = extract32(env->pmsav7.drsr[n], snd + 8, 1);
7439 srdis_mask = srdis ? 0x3 : 0x0;
7440 for (i = 2; i <= 8 && rsize < TARGET_PAGE_BITS; i *= 2) {
7441 /* This will check in groups of 2, 4 and then 8, whether
7442 * the subregion bits are consistent. rsize is incremented
7443 * back up to give the region size, considering consistent
7444 * adjacent subregions as one region. Stop testing if rsize
7445 * is already big enough for an entire QEMU page.
7447 int snd_rounded = snd & ~(i - 1);
7448 uint32_t srdis_multi = extract32(env->pmsav7.drsr[n],
7449 snd_rounded + 8, i);
7450 if (srdis_mask ^ srdis_multi) {
7453 srdis_mask = (srdis_mask << i) | srdis_mask;
7457 if (rsize < TARGET_PAGE_BITS) {
7458 qemu_log_mask(LOG_UNIMP, "No support for MPU (sub)region"
7459 "alignment of %" PRIu32 " bits. Minimum is %d\n",
7460 rsize, TARGET_PAGE_BITS);
7469 if (n == -1) { /* no hits */
7470 if (cpu->pmsav7_dregion &&
7471 (is_user || !(regime_sctlr(env, mmu_idx) & SCTLR_BR))) {
7472 /* background fault */
7476 get_phys_addr_pmsav7_default(env, mmu_idx, address, prot);
7477 } else { /* a MPU hit! */
7478 uint32_t ap = extract32(env->pmsav7.dracr[n], 8, 3);
7480 if (is_user) { /* User mode AP bit decoding */
7485 break; /* no access */
7487 *prot |= PAGE_WRITE;
7491 *prot |= PAGE_READ | PAGE_EXEC;
7494 qemu_log_mask(LOG_GUEST_ERROR,
7495 "Bad value for AP bits in DRACR %"
7498 } else { /* Priv. mode AP bits decoding */
7501 break; /* no access */
7505 *prot |= PAGE_WRITE;
7509 *prot |= PAGE_READ | PAGE_EXEC;
7512 qemu_log_mask(LOG_GUEST_ERROR,
7513 "Bad value for AP bits in DRACR %"
7519 if (env->pmsav7.dracr[n] & (1 << 12)) {
7520 *prot &= ~PAGE_EXEC;
7525 *fsr = 0x00d; /* Permission fault */
7526 return !(*prot & (1 << access_type));
7529 static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
7530 int access_type, ARMMMUIdx mmu_idx,
7531 hwaddr *phys_ptr, int *prot, uint32_t *fsr)
7536 bool is_user = regime_is_user(env, mmu_idx);
7538 *phys_ptr = address;
7539 for (n = 7; n >= 0; n--) {
7540 base = env->cp15.c6_region[n];
7541 if ((base & 1) == 0) {
7544 mask = 1 << ((base >> 1) & 0x1f);
7545 /* Keep this shift separate from the above to avoid an
7546 (undefined) << 32. */
7547 mask = (mask << 1) - 1;
7548 if (((base ^ address) & ~mask) == 0) {
7557 if (access_type == 2) {
7558 mask = env->cp15.pmsav5_insn_ap;
7560 mask = env->cp15.pmsav5_data_ap;
7562 mask = (mask >> (n * 4)) & 0xf;
7572 *prot = PAGE_READ | PAGE_WRITE;
7577 *prot |= PAGE_WRITE;
7581 *prot = PAGE_READ | PAGE_WRITE;
7594 /* Bad permission. */
7602 /* get_phys_addr - get the physical address for this virtual address
7604 * Find the physical address corresponding to the given virtual address,
7605 * by doing a translation table walk on MMU based systems or using the
7606 * MPU state on MPU based systems.
7608 * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
7609 * prot and page_size may not be filled in, and the populated fsr value provides
7610 * information on why the translation aborted, in the format of a
7611 * DFSR/IFSR fault register, with the following caveats:
7612 * * we honour the short vs long DFSR format differences.
7613 * * the WnR bit is never set (the caller must do this).
7614 * * for PSMAv5 based systems we don't bother to return a full FSR format
7618 * @address: virtual address to get physical address for
7619 * @access_type: 0 for read, 1 for write, 2 for execute
7620 * @mmu_idx: MMU index indicating required translation regime
7621 * @phys_ptr: set to the physical address corresponding to the virtual address
7622 * @attrs: set to the memory transaction attributes to use
7623 * @prot: set to the permissions for the page containing phys_ptr
7624 * @page_size: set to the size of the page containing phys_ptr
7625 * @fsr: set to the DFSR/IFSR value on failure
7627 static bool get_phys_addr(CPUARMState *env, target_ulong address,
7628 int access_type, ARMMMUIdx mmu_idx,
7629 hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
7630 target_ulong *page_size, uint32_t *fsr,
7631 ARMMMUFaultInfo *fi)
7633 if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
7634 /* Call ourselves recursively to do the stage 1 and then stage 2
7637 if (arm_feature(env, ARM_FEATURE_EL2)) {
7642 ret = get_phys_addr(env, address, access_type,
7643 mmu_idx + ARMMMUIdx_S1NSE0, &ipa, attrs,
7644 prot, page_size, fsr, fi);
7646 /* If S1 fails or S2 is disabled, return early. */
7647 if (ret || regime_translation_disabled(env, ARMMMUIdx_S2NS)) {
7652 /* S1 is done. Now do S2 translation. */
7653 ret = get_phys_addr_lpae(env, ipa, access_type, ARMMMUIdx_S2NS,
7654 phys_ptr, attrs, &s2_prot,
7655 page_size, fsr, fi);
7657 /* Combine the S1 and S2 perms. */
7662 * For non-EL2 CPUs a stage1+stage2 translation is just stage 1.
7664 mmu_idx += ARMMMUIdx_S1NSE0;
7668 /* The page table entries may downgrade secure to non-secure, but
7669 * cannot upgrade an non-secure translation regime's attributes
7672 attrs->secure = regime_is_secure(env, mmu_idx);
7673 attrs->user = regime_is_user(env, mmu_idx);
7675 /* Fast Context Switch Extension. This doesn't exist at all in v8.
7676 * In v7 and earlier it affects all stage 1 translations.
7678 if (address < 0x02000000 && mmu_idx != ARMMMUIdx_S2NS
7679 && !arm_feature(env, ARM_FEATURE_V8)) {
7680 if (regime_el(env, mmu_idx) == 3) {
7681 address += env->cp15.fcseidr_s;
7683 address += env->cp15.fcseidr_ns;
7687 /* pmsav7 has special handling for when MPU is disabled so call it before
7688 * the common MMU/MPU disabled check below.
7690 if (arm_feature(env, ARM_FEATURE_MPU) &&
7691 arm_feature(env, ARM_FEATURE_V7)) {
7692 *page_size = TARGET_PAGE_SIZE;
7693 return get_phys_addr_pmsav7(env, address, access_type, mmu_idx,
7694 phys_ptr, prot, fsr);
7697 if (regime_translation_disabled(env, mmu_idx)) {
7698 /* MMU/MPU disabled. */
7699 *phys_ptr = address;
7700 *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
7701 *page_size = TARGET_PAGE_SIZE;
7705 if (arm_feature(env, ARM_FEATURE_MPU)) {
7707 *page_size = TARGET_PAGE_SIZE;
7708 return get_phys_addr_pmsav5(env, address, access_type, mmu_idx,
7709 phys_ptr, prot, fsr);
7712 if (regime_using_lpae_format(env, mmu_idx)) {
7713 return get_phys_addr_lpae(env, address, access_type, mmu_idx, phys_ptr,
7714 attrs, prot, page_size, fsr, fi);
7715 } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
7716 return get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr,
7717 attrs, prot, page_size, fsr, fi);
7719 return get_phys_addr_v5(env, address, access_type, mmu_idx, phys_ptr,
7720 prot, page_size, fsr, fi);
7724 /* Walk the page table and (if the mapping exists) add the page
7725 * to the TLB. Return false on success, or true on failure. Populate
7726 * fsr with ARM DFSR/IFSR fault register format value on failure.
7728 bool arm_tlb_fill(CPUState *cs, vaddr address,
7729 int access_type, int mmu_idx, uint32_t *fsr,
7730 ARMMMUFaultInfo *fi)
7732 ARMCPU *cpu = ARM_CPU(cs);
7733 CPUARMState *env = &cpu->env;
7735 target_ulong page_size;
7738 MemTxAttrs attrs = {};
7740 ret = get_phys_addr(env, address, access_type, mmu_idx, &phys_addr,
7741 &attrs, &prot, &page_size, fsr, fi);
7743 /* Map a single [sub]page. */
7744 phys_addr &= TARGET_PAGE_MASK;
7745 address &= TARGET_PAGE_MASK;
7746 tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
7747 prot, mmu_idx, page_size);
7754 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
7757 ARMCPU *cpu = ARM_CPU(cs);
7758 CPUARMState *env = &cpu->env;
7760 target_ulong page_size;
7764 ARMMMUFaultInfo fi = {};
7766 *attrs = (MemTxAttrs) {};
7768 ret = get_phys_addr(env, addr, 0, cpu_mmu_index(env, false), &phys_addr,
7769 attrs, &prot, &page_size, &fsr, &fi);
7777 uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
7779 ARMCPU *cpu = arm_env_get_cpu(env);
7783 return xpsr_read(env) & 0xf8000000;
7785 return xpsr_read(env) & 0xf80001ff;
7787 return xpsr_read(env) & 0xff00fc00;
7789 return xpsr_read(env) & 0xff00fdff;
7791 return xpsr_read(env) & 0x000001ff;
7793 return xpsr_read(env) & 0x0700fc00;
7795 return xpsr_read(env) & 0x0700edff;
7797 return env->v7m.current_sp ? env->v7m.other_sp : env->regs[13];
7799 return env->v7m.current_sp ? env->regs[13] : env->v7m.other_sp;
7800 case 16: /* PRIMASK */
7801 return (env->daif & PSTATE_I) != 0;
7802 case 17: /* BASEPRI */
7803 case 18: /* BASEPRI_MAX */
7804 return env->v7m.basepri;
7805 case 19: /* FAULTMASK */
7806 return (env->daif & PSTATE_F) != 0;
7807 case 20: /* CONTROL */
7808 return env->v7m.control;
7810 /* ??? For debugging only. */
7811 cpu_abort(CPU(cpu), "Unimplemented system register read (%d)\n", reg);
7816 void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
7818 ARMCPU *cpu = arm_env_get_cpu(env);
7822 xpsr_write(env, val, 0xf8000000);
7825 xpsr_write(env, val, 0xf8000000);
7828 xpsr_write(env, val, 0xfe00fc00);
7831 xpsr_write(env, val, 0xfe00fc00);
7834 /* IPSR bits are readonly. */
7837 xpsr_write(env, val, 0x0600fc00);
7840 xpsr_write(env, val, 0x0600fc00);
7843 if (env->v7m.current_sp)
7844 env->v7m.other_sp = val;
7846 env->regs[13] = val;
7849 if (env->v7m.current_sp)
7850 env->regs[13] = val;
7852 env->v7m.other_sp = val;
7854 case 16: /* PRIMASK */
7856 env->daif |= PSTATE_I;
7858 env->daif &= ~PSTATE_I;
7861 case 17: /* BASEPRI */
7862 env->v7m.basepri = val & 0xff;
7864 case 18: /* BASEPRI_MAX */
7866 if (val != 0 && (val < env->v7m.basepri || env->v7m.basepri == 0))
7867 env->v7m.basepri = val;
7869 case 19: /* FAULTMASK */
7871 env->daif |= PSTATE_F;
7873 env->daif &= ~PSTATE_F;
7876 case 20: /* CONTROL */
7877 env->v7m.control = val & 3;
7878 switch_v7m_sp(env, (val & 2) != 0);
7881 /* ??? For debugging only. */
7882 cpu_abort(CPU(cpu), "Unimplemented system register write (%d)\n", reg);
7889 void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
7891 /* Implement DC ZVA, which zeroes a fixed-length block of memory.
7892 * Note that we do not implement the (architecturally mandated)
7893 * alignment fault for attempts to use this on Device memory
7894 * (which matches the usual QEMU behaviour of not implementing either
7895 * alignment faults or any memory attribute handling).
7898 ARMCPU *cpu = arm_env_get_cpu(env);
7899 uint64_t blocklen = 4 << cpu->dcz_blocksize;
7900 uint64_t vaddr = vaddr_in & ~(blocklen - 1);
7902 #ifndef CONFIG_USER_ONLY
7904 /* Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
7905 * the block size so we might have to do more than one TLB lookup.
7906 * We know that in fact for any v8 CPU the page size is at least 4K
7907 * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
7908 * 1K as an artefact of legacy v5 subpage support being present in the
7909 * same QEMU executable.
7911 int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
7912 void *hostaddr[maxidx];
7914 unsigned mmu_idx = cpu_mmu_index(env, false);
7915 TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
7917 for (try = 0; try < 2; try++) {
7919 for (i = 0; i < maxidx; i++) {
7920 hostaddr[i] = tlb_vaddr_to_host(env,
7921 vaddr + TARGET_PAGE_SIZE * i,
7928 /* If it's all in the TLB it's fair game for just writing to;
7929 * we know we don't need to update dirty status, etc.
7931 for (i = 0; i < maxidx - 1; i++) {
7932 memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
7934 memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
7937 /* OK, try a store and see if we can populate the tlb. This
7938 * might cause an exception if the memory isn't writable,
7939 * in which case we will longjmp out of here. We must for
7940 * this purpose use the actual register value passed to us
7941 * so that we get the fault address right.
7943 helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETRA());
7944 /* Now we can populate the other TLB entries, if any */
7945 for (i = 0; i < maxidx; i++) {
7946 uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
7947 if (va != (vaddr_in & TARGET_PAGE_MASK)) {
7948 helper_ret_stb_mmu(env, va, 0, oi, GETRA());
7953 /* Slow path (probably attempt to do this to an I/O device or
7954 * similar, or clearing of a block of code we have translations
7955 * cached for). Just do a series of byte writes as the architecture
7956 * demands. It's not worth trying to use a cpu_physical_memory_map(),
7957 * memset(), unmap() sequence here because:
7958 * + we'd need to account for the blocksize being larger than a page
7959 * + the direct-RAM access case is almost always going to be dealt
7960 * with in the fastpath code above, so there's no speed benefit
7961 * + we would have to deal with the map returning NULL because the
7962 * bounce buffer was in use
7964 for (i = 0; i < blocklen; i++) {
7965 helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETRA());
7969 memset(g2h(vaddr), 0, blocklen);
7973 /* Note that signed overflow is undefined in C. The following routines are
7974 careful to use unsigned types where modulo arithmetic is required.
7975 Failure to do so _will_ break on newer gcc. */
7977 /* Signed saturating arithmetic. */
7979 /* Perform 16-bit signed saturating addition. */
7980 static inline uint16_t add16_sat(uint16_t a, uint16_t b)
7985 if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) {
7994 /* Perform 8-bit signed saturating addition. */
7995 static inline uint8_t add8_sat(uint8_t a, uint8_t b)
8000 if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) {
8009 /* Perform 16-bit signed saturating subtraction. */
8010 static inline uint16_t sub16_sat(uint16_t a, uint16_t b)
8015 if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) {
8024 /* Perform 8-bit signed saturating subtraction. */
8025 static inline uint8_t sub8_sat(uint8_t a, uint8_t b)
8030 if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) {
8039 #define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16);
8040 #define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16);
8041 #define ADD8(a, b, n) RESULT(add8_sat(a, b), n, 8);
8042 #define SUB8(a, b, n) RESULT(sub8_sat(a, b), n, 8);
8045 #include "op_addsub.h"
8047 /* Unsigned saturating arithmetic. */
8048 static inline uint16_t add16_usat(uint16_t a, uint16_t b)
8057 static inline uint16_t sub16_usat(uint16_t a, uint16_t b)
8065 static inline uint8_t add8_usat(uint8_t a, uint8_t b)
8074 static inline uint8_t sub8_usat(uint8_t a, uint8_t b)
8082 #define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16);
8083 #define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16);
8084 #define ADD8(a, b, n) RESULT(add8_usat(a, b), n, 8);
8085 #define SUB8(a, b, n) RESULT(sub8_usat(a, b), n, 8);
8088 #include "op_addsub.h"
8090 /* Signed modulo arithmetic. */
8091 #define SARITH16(a, b, n, op) do { \
8093 sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \
8094 RESULT(sum, n, 16); \
8096 ge |= 3 << (n * 2); \
8099 #define SARITH8(a, b, n, op) do { \
8101 sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \
8102 RESULT(sum, n, 8); \
8108 #define ADD16(a, b, n) SARITH16(a, b, n, +)
8109 #define SUB16(a, b, n) SARITH16(a, b, n, -)
8110 #define ADD8(a, b, n) SARITH8(a, b, n, +)
8111 #define SUB8(a, b, n) SARITH8(a, b, n, -)
8115 #include "op_addsub.h"
8117 /* Unsigned modulo arithmetic. */
8118 #define ADD16(a, b, n) do { \
8120 sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \
8121 RESULT(sum, n, 16); \
8122 if ((sum >> 16) == 1) \
8123 ge |= 3 << (n * 2); \
8126 #define ADD8(a, b, n) do { \
8128 sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \
8129 RESULT(sum, n, 8); \
8130 if ((sum >> 8) == 1) \
8134 #define SUB16(a, b, n) do { \
8136 sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \
8137 RESULT(sum, n, 16); \
8138 if ((sum >> 16) == 0) \
8139 ge |= 3 << (n * 2); \
8142 #define SUB8(a, b, n) do { \
8144 sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \
8145 RESULT(sum, n, 8); \
8146 if ((sum >> 8) == 0) \
8153 #include "op_addsub.h"
8155 /* Halved signed arithmetic. */
8156 #define ADD16(a, b, n) \
8157 RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16)
8158 #define SUB16(a, b, n) \
8159 RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16)
8160 #define ADD8(a, b, n) \
8161 RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8)
8162 #define SUB8(a, b, n) \
8163 RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8)
8166 #include "op_addsub.h"
8168 /* Halved unsigned arithmetic. */
8169 #define ADD16(a, b, n) \
8170 RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16)
8171 #define SUB16(a, b, n) \
8172 RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16)
8173 #define ADD8(a, b, n) \
8174 RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8)
8175 #define SUB8(a, b, n) \
8176 RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8)
8179 #include "op_addsub.h"
8181 static inline uint8_t do_usad(uint8_t a, uint8_t b)
8189 /* Unsigned sum of absolute byte differences. */
8190 uint32_t HELPER(usad8)(uint32_t a, uint32_t b)
8193 sum = do_usad(a, b);
8194 sum += do_usad(a >> 8, b >> 8);
8195 sum += do_usad(a >> 16, b >>16);
8196 sum += do_usad(a >> 24, b >> 24);
8200 /* For ARMv6 SEL instruction. */
8201 uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b)
8214 return (a & mask) | (b & ~mask);
8217 /* VFP support. We follow the convention used for VFP instructions:
8218 Single precision routines have a "s" suffix, double precision a
8221 /* Convert host exception flags to vfp form. */
8222 static inline int vfp_exceptbits_from_host(int host_bits)
8224 int target_bits = 0;
8226 if (host_bits & float_flag_invalid)
8228 if (host_bits & float_flag_divbyzero)
8230 if (host_bits & float_flag_overflow)
8232 if (host_bits & (float_flag_underflow | float_flag_output_denormal))
8234 if (host_bits & float_flag_inexact)
8235 target_bits |= 0x10;
8236 if (host_bits & float_flag_input_denormal)
8237 target_bits |= 0x80;
8241 uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
8246 fpscr = (env->vfp.xregs[ARM_VFP_FPSCR] & 0xffc8ffff)
8247 | (env->vfp.vec_len << 16)
8248 | (env->vfp.vec_stride << 20);
8249 i = get_float_exception_flags(&env->vfp.fp_status);
8250 i |= get_float_exception_flags(&env->vfp.standard_fp_status);
8251 fpscr |= vfp_exceptbits_from_host(i);
8255 uint32_t vfp_get_fpscr(CPUARMState *env)
8257 return HELPER(vfp_get_fpscr)(env);
8260 /* Convert vfp exception flags to target form. */
8261 static inline int vfp_exceptbits_to_host(int target_bits)
8265 if (target_bits & 1)
8266 host_bits |= float_flag_invalid;
8267 if (target_bits & 2)
8268 host_bits |= float_flag_divbyzero;
8269 if (target_bits & 4)
8270 host_bits |= float_flag_overflow;
8271 if (target_bits & 8)
8272 host_bits |= float_flag_underflow;
8273 if (target_bits & 0x10)
8274 host_bits |= float_flag_inexact;
8275 if (target_bits & 0x80)
8276 host_bits |= float_flag_input_denormal;
8280 void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
8285 changed = env->vfp.xregs[ARM_VFP_FPSCR];
8286 env->vfp.xregs[ARM_VFP_FPSCR] = (val & 0xffc8ffff);
8287 env->vfp.vec_len = (val >> 16) & 7;
8288 env->vfp.vec_stride = (val >> 20) & 3;
8291 if (changed & (3 << 22)) {
8292 i = (val >> 22) & 3;
8294 case FPROUNDING_TIEEVEN:
8295 i = float_round_nearest_even;
8297 case FPROUNDING_POSINF:
8300 case FPROUNDING_NEGINF:
8301 i = float_round_down;
8303 case FPROUNDING_ZERO:
8304 i = float_round_to_zero;
8307 set_float_rounding_mode(i, &env->vfp.fp_status);
8309 if (changed & (1 << 24)) {
8310 set_flush_to_zero((val & (1 << 24)) != 0, &env->vfp.fp_status);
8311 set_flush_inputs_to_zero((val & (1 << 24)) != 0, &env->vfp.fp_status);
8313 if (changed & (1 << 25))
8314 set_default_nan_mode((val & (1 << 25)) != 0, &env->vfp.fp_status);
8316 i = vfp_exceptbits_to_host(val);
8317 set_float_exception_flags(i, &env->vfp.fp_status);
8318 set_float_exception_flags(0, &env->vfp.standard_fp_status);
8321 void vfp_set_fpscr(CPUARMState *env, uint32_t val)
8323 HELPER(vfp_set_fpscr)(env, val);
8326 #define VFP_HELPER(name, p) HELPER(glue(glue(vfp_,name),p))
8328 #define VFP_BINOP(name) \
8329 float32 VFP_HELPER(name, s)(float32 a, float32 b, void *fpstp) \
8331 float_status *fpst = fpstp; \
8332 return float32_ ## name(a, b, fpst); \
8334 float64 VFP_HELPER(name, d)(float64 a, float64 b, void *fpstp) \
8336 float_status *fpst = fpstp; \
8337 return float64_ ## name(a, b, fpst); \
8349 float32 VFP_HELPER(neg, s)(float32 a)
8351 return float32_chs(a);
8354 float64 VFP_HELPER(neg, d)(float64 a)
8356 return float64_chs(a);
8359 float32 VFP_HELPER(abs, s)(float32 a)
8361 return float32_abs(a);
8364 float64 VFP_HELPER(abs, d)(float64 a)
8366 return float64_abs(a);
8369 float32 VFP_HELPER(sqrt, s)(float32 a, CPUARMState *env)
8371 return float32_sqrt(a, &env->vfp.fp_status);
8374 float64 VFP_HELPER(sqrt, d)(float64 a, CPUARMState *env)
8376 return float64_sqrt(a, &env->vfp.fp_status);
8379 /* XXX: check quiet/signaling case */
8380 #define DO_VFP_cmp(p, type) \
8381 void VFP_HELPER(cmp, p)(type a, type b, CPUARMState *env) \
8384 switch(type ## _compare_quiet(a, b, &env->vfp.fp_status)) { \
8385 case 0: flags = 0x6; break; \
8386 case -1: flags = 0x8; break; \
8387 case 1: flags = 0x2; break; \
8388 default: case 2: flags = 0x3; break; \
8390 env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
8391 | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
8393 void VFP_HELPER(cmpe, p)(type a, type b, CPUARMState *env) \
8396 switch(type ## _compare(a, b, &env->vfp.fp_status)) { \
8397 case 0: flags = 0x6; break; \
8398 case -1: flags = 0x8; break; \
8399 case 1: flags = 0x2; break; \
8400 default: case 2: flags = 0x3; break; \
8402 env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
8403 | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
8405 DO_VFP_cmp(s, float32)
8406 DO_VFP_cmp(d, float64)
8409 /* Integer to float and float to integer conversions */
8411 #define CONV_ITOF(name, fsz, sign) \
8412 float##fsz HELPER(name)(uint32_t x, void *fpstp) \
8414 float_status *fpst = fpstp; \
8415 return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
8418 #define CONV_FTOI(name, fsz, sign, round) \
8419 uint32_t HELPER(name)(float##fsz x, void *fpstp) \
8421 float_status *fpst = fpstp; \
8422 if (float##fsz##_is_any_nan(x)) { \
8423 float_raise(float_flag_invalid, fpst); \
8426 return float##fsz##_to_##sign##int32##round(x, fpst); \
8429 #define FLOAT_CONVS(name, p, fsz, sign) \
8430 CONV_ITOF(vfp_##name##to##p, fsz, sign) \
8431 CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
8432 CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
8434 FLOAT_CONVS(si, s, 32, )
8435 FLOAT_CONVS(si, d, 64, )
8436 FLOAT_CONVS(ui, s, 32, u)
8437 FLOAT_CONVS(ui, d, 64, u)
8443 /* floating point conversion */
8444 float64 VFP_HELPER(fcvtd, s)(float32 x, CPUARMState *env)
8446 float64 r = float32_to_float64(x, &env->vfp.fp_status);
8447 /* ARM requires that S<->D conversion of any kind of NaN generates
8448 * a quiet NaN by forcing the most significant frac bit to 1.
8450 return float64_maybe_silence_nan(r);
8453 float32 VFP_HELPER(fcvts, d)(float64 x, CPUARMState *env)
8455 float32 r = float64_to_float32(x, &env->vfp.fp_status);
8456 /* ARM requires that S<->D conversion of any kind of NaN generates
8457 * a quiet NaN by forcing the most significant frac bit to 1.
8459 return float32_maybe_silence_nan(r);
8462 /* VFP3 fixed point conversion. */
8463 #define VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
8464 float##fsz HELPER(vfp_##name##to##p)(uint##isz##_t x, uint32_t shift, \
8467 float_status *fpst = fpstp; \
8469 tmp = itype##_to_##float##fsz(x, fpst); \
8470 return float##fsz##_scalbn(tmp, -(int)shift, fpst); \
8473 /* Notice that we want only input-denormal exception flags from the
8474 * scalbn operation: the other possible flags (overflow+inexact if
8475 * we overflow to infinity, output-denormal) aren't correct for the
8476 * complete scale-and-convert operation.
8478 #define VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, round) \
8479 uint##isz##_t HELPER(vfp_to##name##p##round)(float##fsz x, \
8483 float_status *fpst = fpstp; \
8484 int old_exc_flags = get_float_exception_flags(fpst); \
8486 if (float##fsz##_is_any_nan(x)) { \
8487 float_raise(float_flag_invalid, fpst); \
8490 tmp = float##fsz##_scalbn(x, shift, fpst); \
8491 old_exc_flags |= get_float_exception_flags(fpst) \
8492 & float_flag_input_denormal; \
8493 set_float_exception_flags(old_exc_flags, fpst); \
8494 return float##fsz##_to_##itype##round(tmp, fpst); \
8497 #define VFP_CONV_FIX(name, p, fsz, isz, itype) \
8498 VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
8499 VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, _round_to_zero) \
8500 VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, )
8502 #define VFP_CONV_FIX_A64(name, p, fsz, isz, itype) \
8503 VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
8504 VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, )
8506 VFP_CONV_FIX(sh, d, 64, 64, int16)
8507 VFP_CONV_FIX(sl, d, 64, 64, int32)
8508 VFP_CONV_FIX_A64(sq, d, 64, 64, int64)
8509 VFP_CONV_FIX(uh, d, 64, 64, uint16)
8510 VFP_CONV_FIX(ul, d, 64, 64, uint32)
8511 VFP_CONV_FIX_A64(uq, d, 64, 64, uint64)
8512 VFP_CONV_FIX(sh, s, 32, 32, int16)
8513 VFP_CONV_FIX(sl, s, 32, 32, int32)
8514 VFP_CONV_FIX_A64(sq, s, 32, 64, int64)
8515 VFP_CONV_FIX(uh, s, 32, 32, uint16)
8516 VFP_CONV_FIX(ul, s, 32, 32, uint32)
8517 VFP_CONV_FIX_A64(uq, s, 32, 64, uint64)
8519 #undef VFP_CONV_FIX_FLOAT
8520 #undef VFP_CONV_FLOAT_FIX_ROUND
8522 /* Set the current fp rounding mode and return the old one.
8523 * The argument is a softfloat float_round_ value.
8525 uint32_t HELPER(set_rmode)(uint32_t rmode, CPUARMState *env)
8527 float_status *fp_status = &env->vfp.fp_status;
8529 uint32_t prev_rmode = get_float_rounding_mode(fp_status);
8530 set_float_rounding_mode(rmode, fp_status);
8535 /* Set the current fp rounding mode in the standard fp status and return
8536 * the old one. This is for NEON instructions that need to change the
8537 * rounding mode but wish to use the standard FPSCR values for everything
8538 * else. Always set the rounding mode back to the correct value after
8540 * The argument is a softfloat float_round_ value.
8542 uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
8544 float_status *fp_status = &env->vfp.standard_fp_status;
8546 uint32_t prev_rmode = get_float_rounding_mode(fp_status);
8547 set_float_rounding_mode(rmode, fp_status);
8552 /* Half precision conversions. */
8553 static float32 do_fcvt_f16_to_f32(uint32_t a, CPUARMState *env, float_status *s)
8555 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
8556 float32 r = float16_to_float32(make_float16(a), ieee, s);
8558 return float32_maybe_silence_nan(r);
8563 static uint32_t do_fcvt_f32_to_f16(float32 a, CPUARMState *env, float_status *s)
8565 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
8566 float16 r = float32_to_float16(a, ieee, s);
8568 r = float16_maybe_silence_nan(r);
8570 return float16_val(r);
8573 float32 HELPER(neon_fcvt_f16_to_f32)(uint32_t a, CPUARMState *env)
8575 return do_fcvt_f16_to_f32(a, env, &env->vfp.standard_fp_status);
8578 uint32_t HELPER(neon_fcvt_f32_to_f16)(float32 a, CPUARMState *env)
8580 return do_fcvt_f32_to_f16(a, env, &env->vfp.standard_fp_status);
8583 float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, CPUARMState *env)
8585 return do_fcvt_f16_to_f32(a, env, &env->vfp.fp_status);
8588 uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, CPUARMState *env)
8590 return do_fcvt_f32_to_f16(a, env, &env->vfp.fp_status);
8593 float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, CPUARMState *env)
8595 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
8596 float64 r = float16_to_float64(make_float16(a), ieee, &env->vfp.fp_status);
8598 return float64_maybe_silence_nan(r);
8603 uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, CPUARMState *env)
8605 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
8606 float16 r = float64_to_float16(a, ieee, &env->vfp.fp_status);
8608 r = float16_maybe_silence_nan(r);
8610 return float16_val(r);
8613 #define float32_two make_float32(0x40000000)
8614 #define float32_three make_float32(0x40400000)
8615 #define float32_one_point_five make_float32(0x3fc00000)
8617 float32 HELPER(recps_f32)(float32 a, float32 b, CPUARMState *env)
8619 float_status *s = &env->vfp.standard_fp_status;
8620 if ((float32_is_infinity(a) && float32_is_zero_or_denormal(b)) ||
8621 (float32_is_infinity(b) && float32_is_zero_or_denormal(a))) {
8622 if (!(float32_is_zero(a) || float32_is_zero(b))) {
8623 float_raise(float_flag_input_denormal, s);
8627 return float32_sub(float32_two, float32_mul(a, b, s), s);
8630 float32 HELPER(rsqrts_f32)(float32 a, float32 b, CPUARMState *env)
8632 float_status *s = &env->vfp.standard_fp_status;
8634 if ((float32_is_infinity(a) && float32_is_zero_or_denormal(b)) ||
8635 (float32_is_infinity(b) && float32_is_zero_or_denormal(a))) {
8636 if (!(float32_is_zero(a) || float32_is_zero(b))) {
8637 float_raise(float_flag_input_denormal, s);
8639 return float32_one_point_five;
8641 product = float32_mul(a, b, s);
8642 return float32_div(float32_sub(float32_three, product, s), float32_two, s);
8647 /* Constants 256 and 512 are used in some helpers; we avoid relying on
8648 * int->float conversions at run-time. */
8649 #define float64_256 make_float64(0x4070000000000000LL)
8650 #define float64_512 make_float64(0x4080000000000000LL)
8651 #define float32_maxnorm make_float32(0x7f7fffff)
8652 #define float64_maxnorm make_float64(0x7fefffffffffffffLL)
8654 /* Reciprocal functions
8656 * The algorithm that must be used to calculate the estimate
8657 * is specified by the ARM ARM, see FPRecipEstimate()
8660 static float64 recip_estimate(float64 a, float_status *real_fp_status)
8662 /* These calculations mustn't set any fp exception flags,
8663 * so we use a local copy of the fp_status.
8665 float_status dummy_status = *real_fp_status;
8666 float_status *s = &dummy_status;
8667 /* q = (int)(a * 512.0) */
8668 float64 q = float64_mul(float64_512, a, s);
8669 int64_t q_int = float64_to_int64_round_to_zero(q, s);
8671 /* r = 1.0 / (((double)q + 0.5) / 512.0) */
8672 q = int64_to_float64(q_int, s);
8673 q = float64_add(q, float64_half, s);
8674 q = float64_div(q, float64_512, s);
8675 q = float64_div(float64_one, q, s);
8677 /* s = (int)(256.0 * r + 0.5) */
8678 q = float64_mul(q, float64_256, s);
8679 q = float64_add(q, float64_half, s);
8680 q_int = float64_to_int64_round_to_zero(q, s);
8682 /* return (double)s / 256.0 */
8683 return float64_div(int64_to_float64(q_int, s), float64_256, s);
8686 /* Common wrapper to call recip_estimate */
8687 static float64 call_recip_estimate(float64 num, int off, float_status *fpst)
8689 uint64_t val64 = float64_val(num);
8690 uint64_t frac = extract64(val64, 0, 52);
8691 int64_t exp = extract64(val64, 52, 11);
8693 float64 scaled, estimate;
8695 /* Generate the scaled number for the estimate function */
8697 if (extract64(frac, 51, 1) == 0) {
8699 frac = extract64(frac, 0, 50) << 2;
8701 frac = extract64(frac, 0, 51) << 1;
8705 /* scaled = '0' : '01111111110' : fraction<51:44> : Zeros(44); */
8706 scaled = make_float64((0x3feULL << 52)
8707 | extract64(frac, 44, 8) << 44);
8709 estimate = recip_estimate(scaled, fpst);
8711 /* Build new result */
8712 val64 = float64_val(estimate);
8713 sbit = 0x8000000000000000ULL & val64;
8715 frac = extract64(val64, 0, 52);
8718 frac = 1ULL << 51 | extract64(frac, 1, 51);
8719 } else if (exp == -1) {
8720 frac = 1ULL << 50 | extract64(frac, 2, 50);
8724 return make_float64(sbit | (exp << 52) | frac);
8727 static bool round_to_inf(float_status *fpst, bool sign_bit)
8729 switch (fpst->float_rounding_mode) {
8730 case float_round_nearest_even: /* Round to Nearest */
8732 case float_round_up: /* Round to +Inf */
8734 case float_round_down: /* Round to -Inf */
8736 case float_round_to_zero: /* Round to Zero */
8740 g_assert_not_reached();
8743 float32 HELPER(recpe_f32)(float32 input, void *fpstp)
8745 float_status *fpst = fpstp;
8746 float32 f32 = float32_squash_input_denormal(input, fpst);
8747 uint32_t f32_val = float32_val(f32);
8748 uint32_t f32_sbit = 0x80000000ULL & f32_val;
8749 int32_t f32_exp = extract32(f32_val, 23, 8);
8750 uint32_t f32_frac = extract32(f32_val, 0, 23);
8756 if (float32_is_any_nan(f32)) {
8758 if (float32_is_signaling_nan(f32)) {
8759 float_raise(float_flag_invalid, fpst);
8760 nan = float32_maybe_silence_nan(f32);
8762 if (fpst->default_nan_mode) {
8763 nan = float32_default_nan;
8766 } else if (float32_is_infinity(f32)) {
8767 return float32_set_sign(float32_zero, float32_is_neg(f32));
8768 } else if (float32_is_zero(f32)) {
8769 float_raise(float_flag_divbyzero, fpst);
8770 return float32_set_sign(float32_infinity, float32_is_neg(f32));
8771 } else if ((f32_val & ~(1ULL << 31)) < (1ULL << 21)) {
8772 /* Abs(value) < 2.0^-128 */
8773 float_raise(float_flag_overflow | float_flag_inexact, fpst);
8774 if (round_to_inf(fpst, f32_sbit)) {
8775 return float32_set_sign(float32_infinity, float32_is_neg(f32));
8777 return float32_set_sign(float32_maxnorm, float32_is_neg(f32));
8779 } else if (f32_exp >= 253 && fpst->flush_to_zero) {
8780 float_raise(float_flag_underflow, fpst);
8781 return float32_set_sign(float32_zero, float32_is_neg(f32));
8785 f64 = make_float64(((int64_t)(f32_exp) << 52) | (int64_t)(f32_frac) << 29);
8786 r64 = call_recip_estimate(f64, 253, fpst);
8787 r64_val = float64_val(r64);
8788 r64_exp = extract64(r64_val, 52, 11);
8789 r64_frac = extract64(r64_val, 0, 52);
8791 /* result = sign : result_exp<7:0> : fraction<51:29>; */
8792 return make_float32(f32_sbit |
8793 (r64_exp & 0xff) << 23 |
8794 extract64(r64_frac, 29, 24));
8797 float64 HELPER(recpe_f64)(float64 input, void *fpstp)
8799 float_status *fpst = fpstp;
8800 float64 f64 = float64_squash_input_denormal(input, fpst);
8801 uint64_t f64_val = float64_val(f64);
8802 uint64_t f64_sbit = 0x8000000000000000ULL & f64_val;
8803 int64_t f64_exp = extract64(f64_val, 52, 11);
8809 /* Deal with any special cases */
8810 if (float64_is_any_nan(f64)) {
8812 if (float64_is_signaling_nan(f64)) {
8813 float_raise(float_flag_invalid, fpst);
8814 nan = float64_maybe_silence_nan(f64);
8816 if (fpst->default_nan_mode) {
8817 nan = float64_default_nan;
8820 } else if (float64_is_infinity(f64)) {
8821 return float64_set_sign(float64_zero, float64_is_neg(f64));
8822 } else if (float64_is_zero(f64)) {
8823 float_raise(float_flag_divbyzero, fpst);
8824 return float64_set_sign(float64_infinity, float64_is_neg(f64));
8825 } else if ((f64_val & ~(1ULL << 63)) < (1ULL << 50)) {
8826 /* Abs(value) < 2.0^-1024 */
8827 float_raise(float_flag_overflow | float_flag_inexact, fpst);
8828 if (round_to_inf(fpst, f64_sbit)) {
8829 return float64_set_sign(float64_infinity, float64_is_neg(f64));
8831 return float64_set_sign(float64_maxnorm, float64_is_neg(f64));
8833 } else if (f64_exp >= 2045 && fpst->flush_to_zero) {
8834 float_raise(float_flag_underflow, fpst);
8835 return float64_set_sign(float64_zero, float64_is_neg(f64));
8838 r64 = call_recip_estimate(f64, 2045, fpst);
8839 r64_val = float64_val(r64);
8840 r64_exp = extract64(r64_val, 52, 11);
8841 r64_frac = extract64(r64_val, 0, 52);
8843 /* result = sign : result_exp<10:0> : fraction<51:0> */
8844 return make_float64(f64_sbit |
8845 ((r64_exp & 0x7ff) << 52) |
8849 /* The algorithm that must be used to calculate the estimate
8850 * is specified by the ARM ARM.
8852 static float64 recip_sqrt_estimate(float64 a, float_status *real_fp_status)
8854 /* These calculations mustn't set any fp exception flags,
8855 * so we use a local copy of the fp_status.
8857 float_status dummy_status = *real_fp_status;
8858 float_status *s = &dummy_status;
8862 if (float64_lt(a, float64_half, s)) {
8863 /* range 0.25 <= a < 0.5 */
8865 /* a in units of 1/512 rounded down */
8866 /* q0 = (int)(a * 512.0); */
8867 q = float64_mul(float64_512, a, s);
8868 q_int = float64_to_int64_round_to_zero(q, s);
8870 /* reciprocal root r */
8871 /* r = 1.0 / sqrt(((double)q0 + 0.5) / 512.0); */
8872 q = int64_to_float64(q_int, s);
8873 q = float64_add(q, float64_half, s);
8874 q = float64_div(q, float64_512, s);
8875 q = float64_sqrt(q, s);
8876 q = float64_div(float64_one, q, s);
8878 /* range 0.5 <= a < 1.0 */
8880 /* a in units of 1/256 rounded down */
8881 /* q1 = (int)(a * 256.0); */
8882 q = float64_mul(float64_256, a, s);
8883 int64_t q_int = float64_to_int64_round_to_zero(q, s);
8885 /* reciprocal root r */
8886 /* r = 1.0 /sqrt(((double)q1 + 0.5) / 256); */
8887 q = int64_to_float64(q_int, s);
8888 q = float64_add(q, float64_half, s);
8889 q = float64_div(q, float64_256, s);
8890 q = float64_sqrt(q, s);
8891 q = float64_div(float64_one, q, s);
8893 /* r in units of 1/256 rounded to nearest */
8894 /* s = (int)(256.0 * r + 0.5); */
8896 q = float64_mul(q, float64_256,s );
8897 q = float64_add(q, float64_half, s);
8898 q_int = float64_to_int64_round_to_zero(q, s);
8900 /* return (double)s / 256.0;*/
8901 return float64_div(int64_to_float64(q_int, s), float64_256, s);
8904 float32 HELPER(rsqrte_f32)(float32 input, void *fpstp)
8906 float_status *s = fpstp;
8907 float32 f32 = float32_squash_input_denormal(input, s);
8908 uint32_t val = float32_val(f32);
8909 uint32_t f32_sbit = 0x80000000 & val;
8910 int32_t f32_exp = extract32(val, 23, 8);
8911 uint32_t f32_frac = extract32(val, 0, 23);
8917 if (float32_is_any_nan(f32)) {
8919 if (float32_is_signaling_nan(f32)) {
8920 float_raise(float_flag_invalid, s);
8921 nan = float32_maybe_silence_nan(f32);
8923 if (s->default_nan_mode) {
8924 nan = float32_default_nan;
8927 } else if (float32_is_zero(f32)) {
8928 float_raise(float_flag_divbyzero, s);
8929 return float32_set_sign(float32_infinity, float32_is_neg(f32));
8930 } else if (float32_is_neg(f32)) {
8931 float_raise(float_flag_invalid, s);
8932 return float32_default_nan;
8933 } else if (float32_is_infinity(f32)) {
8934 return float32_zero;
8937 /* Scale and normalize to a double-precision value between 0.25 and 1.0,
8938 * preserving the parity of the exponent. */
8940 f64_frac = ((uint64_t) f32_frac) << 29;
8942 while (extract64(f64_frac, 51, 1) == 0) {
8943 f64_frac = f64_frac << 1;
8944 f32_exp = f32_exp-1;
8946 f64_frac = extract64(f64_frac, 0, 51) << 1;
8949 if (extract64(f32_exp, 0, 1) == 0) {
8950 f64 = make_float64(((uint64_t) f32_sbit) << 32
8954 f64 = make_float64(((uint64_t) f32_sbit) << 32
8959 result_exp = (380 - f32_exp) / 2;
8961 f64 = recip_sqrt_estimate(f64, s);
8963 val64 = float64_val(f64);
8965 val = ((result_exp & 0xff) << 23)
8966 | ((val64 >> 29) & 0x7fffff);
8967 return make_float32(val);
8970 float64 HELPER(rsqrte_f64)(float64 input, void *fpstp)
8972 float_status *s = fpstp;
8973 float64 f64 = float64_squash_input_denormal(input, s);
8974 uint64_t val = float64_val(f64);
8975 uint64_t f64_sbit = 0x8000000000000000ULL & val;
8976 int64_t f64_exp = extract64(val, 52, 11);
8977 uint64_t f64_frac = extract64(val, 0, 52);
8979 uint64_t result_frac;
8981 if (float64_is_any_nan(f64)) {
8983 if (float64_is_signaling_nan(f64)) {
8984 float_raise(float_flag_invalid, s);
8985 nan = float64_maybe_silence_nan(f64);
8987 if (s->default_nan_mode) {
8988 nan = float64_default_nan;
8991 } else if (float64_is_zero(f64)) {
8992 float_raise(float_flag_divbyzero, s);
8993 return float64_set_sign(float64_infinity, float64_is_neg(f64));
8994 } else if (float64_is_neg(f64)) {
8995 float_raise(float_flag_invalid, s);
8996 return float64_default_nan;
8997 } else if (float64_is_infinity(f64)) {
8998 return float64_zero;
9001 /* Scale and normalize to a double-precision value between 0.25 and 1.0,
9002 * preserving the parity of the exponent. */
9005 while (extract64(f64_frac, 51, 1) == 0) {
9006 f64_frac = f64_frac << 1;
9007 f64_exp = f64_exp - 1;
9009 f64_frac = extract64(f64_frac, 0, 51) << 1;
9012 if (extract64(f64_exp, 0, 1) == 0) {
9013 f64 = make_float64(f64_sbit
9017 f64 = make_float64(f64_sbit
9022 result_exp = (3068 - f64_exp) / 2;
9024 f64 = recip_sqrt_estimate(f64, s);
9026 result_frac = extract64(float64_val(f64), 0, 52);
9028 return make_float64(f64_sbit |
9029 ((result_exp & 0x7ff) << 52) |
9033 uint32_t HELPER(recpe_u32)(uint32_t a, void *fpstp)
9035 float_status *s = fpstp;
9038 if ((a & 0x80000000) == 0) {
9042 f64 = make_float64((0x3feULL << 52)
9043 | ((int64_t)(a & 0x7fffffff) << 21));
9045 f64 = recip_estimate(f64, s);
9047 return 0x80000000 | ((float64_val(f64) >> 21) & 0x7fffffff);
9050 uint32_t HELPER(rsqrte_u32)(uint32_t a, void *fpstp)
9052 float_status *fpst = fpstp;
9055 if ((a & 0xc0000000) == 0) {
9059 if (a & 0x80000000) {
9060 f64 = make_float64((0x3feULL << 52)
9061 | ((uint64_t)(a & 0x7fffffff) << 21));
9062 } else { /* bits 31-30 == '01' */
9063 f64 = make_float64((0x3fdULL << 52)
9064 | ((uint64_t)(a & 0x3fffffff) << 22));
9067 f64 = recip_sqrt_estimate(f64, fpst);
9069 return 0x80000000 | ((float64_val(f64) >> 21) & 0x7fffffff);
9072 /* VFPv4 fused multiply-accumulate */
9073 float32 VFP_HELPER(muladd, s)(float32 a, float32 b, float32 c, void *fpstp)
9075 float_status *fpst = fpstp;
9076 return float32_muladd(a, b, c, 0, fpst);
9079 float64 VFP_HELPER(muladd, d)(float64 a, float64 b, float64 c, void *fpstp)
9081 float_status *fpst = fpstp;
9082 return float64_muladd(a, b, c, 0, fpst);
9085 /* ARMv8 round to integral */
9086 float32 HELPER(rints_exact)(float32 x, void *fp_status)
9088 return float32_round_to_int(x, fp_status);
9091 float64 HELPER(rintd_exact)(float64 x, void *fp_status)
9093 return float64_round_to_int(x, fp_status);
9096 float32 HELPER(rints)(float32 x, void *fp_status)
9098 int old_flags = get_float_exception_flags(fp_status), new_flags;
9101 ret = float32_round_to_int(x, fp_status);
9103 /* Suppress any inexact exceptions the conversion produced */
9104 if (!(old_flags & float_flag_inexact)) {
9105 new_flags = get_float_exception_flags(fp_status);
9106 set_float_exception_flags(new_flags & ~float_flag_inexact, fp_status);
9112 float64 HELPER(rintd)(float64 x, void *fp_status)
9114 int old_flags = get_float_exception_flags(fp_status), new_flags;
9117 ret = float64_round_to_int(x, fp_status);
9119 new_flags = get_float_exception_flags(fp_status);
9121 /* Suppress any inexact exceptions the conversion produced */
9122 if (!(old_flags & float_flag_inexact)) {
9123 new_flags = get_float_exception_flags(fp_status);
9124 set_float_exception_flags(new_flags & ~float_flag_inexact, fp_status);
9130 /* Convert ARM rounding mode to softfloat */
9131 int arm_rmode_to_sf(int rmode)
9134 case FPROUNDING_TIEAWAY:
9135 rmode = float_round_ties_away;
9137 case FPROUNDING_ODD:
9138 /* FIXME: add support for TIEAWAY and ODD */
9139 qemu_log_mask(LOG_UNIMP, "arm: unimplemented rounding mode: %d\n",
9141 case FPROUNDING_TIEEVEN:
9143 rmode = float_round_nearest_even;
9145 case FPROUNDING_POSINF:
9146 rmode = float_round_up;
9148 case FPROUNDING_NEGINF:
9149 rmode = float_round_down;
9151 case FPROUNDING_ZERO:
9152 rmode = float_round_to_zero;
9159 * The upper bytes of val (above the number specified by 'bytes') must have
9160 * been zeroed out by the caller.
9162 uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes)
9168 /* zlib crc32 converts the accumulator and output to one's complement. */
9169 return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff;
9172 uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
9178 /* Linux crc32c converts the output to one's complement. */
9179 return crc32c(acc, buf, bytes) ^ 0xffffffff;
projects / qemu.git / blob